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5 is SC t k y lock ciph si n y i st 5 . liski n in 1 
pu lish lin c ypt n lytic tt ck on 5 t ypto 95 which still m ins 
s th only n 1 lin tt ck on 5 th t h s n pu lish in th op n 
lit tu . oin to to this tt ck s th . n this p p 

w show th t th - tt ck o s not wo k s xp ct u to th ilu 

o som hi n ssumptions in ol . h n w p s nt som n w tt cks. On 
tt cks s on th s m lin pp oxim tion us in th - tt ck ut 

th y i nt om th t tt ck in th w y th y us th pp oxim tion to 
CO th s c t k y. 

st i fly i w 5 n lin c ypt n lysis. 5 h s i 1 lock 
siz i 1 num o oun s n i llnthsctky. p ticul 

5 1 o ithm is n ythsth p mtsn not s h-wjrjh 
w th wo siz in its (h 1 o lock is c 11 ); 6 th k y siz in yt s; 

r th num o oun s. o th nc yption 1 o ithm w opt th not tion 

us in 1 . h 1 o ithm is s ollows 



* srsr so It torsst or tor s. 

u y t tw y t 3 6 

o 




1 k 



L — Lo + 'S'o 

R =R^ + S 

i = 2 2r + 1 
Li — Ri— 

Ri = {{Li- — Ri- ) Ri- ) + Si 

n th 1 o ithm “+ not s ition mo ulo 2™ not s itwis xo 

not s 1 t ot tion. h it tion o th o loop is s th 

. h /i h 1 - oun s to th two initi 1 u tions. Li- , Ri- 
not th 1 t n th i ht h 1 s o th input n Si not s th su k y t 
th h 1- oun . {Lq,Ro) is th pi int xt (L ,Rr ) is th ciph t xt. 

Lin c ypt n lysis is kin o st tistic 1 co 1 tion tt ck o lock ciph s 

which w s lop y M tsui 4 in 1993. h sic i o lin c ypt n lysis 

is to n lin 1 tion which is c 11 n mon th pi in- 

t xt ciph t xt n k y its such th t th p o ility o th pp oxim tion is 
i nt om 1/2. ut i w on In s su stitut o th k y its in th p- 
p oxim tion th pp oxim tion will h n omly (i. . its p o ility will 
1/2). h tt ck coll cts pi int xt/ciph t xt p i s which nc ypt un 

th s m k y. h n h t i s 11 possi 1 com in tions o th k y its in ol 
in th pp oxim tion with 11 th pi int xt/ciph t xt p i s h h s coll ct 
h CO ct k y it com in tion is istin uish y its non- n om h io . 

M tsui 3 show th t th succ ss p o ility o th tt ck is p opo tion 1 to 

N\p — 1/2| wh N is th num o pi int xt/ciph t xt p i s coll ct 

Som sp ci c not tion us in this p p is s ollows. 5-w/r not s th 
5 sch m with w it wo s n r oun s wh ch oun k y is n t 
in p n ntly. x i not s th it o in y st in x n x i ... j not s 
th z*^ th ou h its o x; n not s 2r -I- 1. 

h m in o th p p is o niz s ollows. n -2 w iscuss th 
hi n ssumptions in th - tt ck n xpl in why th y o not hoi . n 

-3 7 w p s nt ou tt cks n iscuss th i succ ss t s. n — w conclu 

with som op n s ch p o 1 ms in lin c ypt n lysis o 5 n 

iscuss i fly th cto s th t m k lin c ypt n lysis o 5 h th n 
lin c ypt n lysis o S-lik ciph s. 



n this s ction w i fly iscuss th - tt ck n show th hi n ssump- 
tions th t c us th tt ck to il. 

2 

L t T not S 0 — 5'a 0 S' j._ 0 . h pp oxim tion us in th 

tt ck is 



Rq 0 — L r 0 — T 



( 1 ) 




N 



s Its 



r r pt 1 s s o 



which is o t in y com inin th hi- oun pp oxim tion 

R 0=i?oO-S' 0 
n th hi- oun pp oxim tion 

R^Q =U_ 0 - S'* 0 

o t = 3, 5, . . . , 2r — 1. h p o ility o this pp oxim tion which w not 
yp is - + ^^. 

h - tt ck w s i nt om 11 th p iously pu lish lin c ypt- 

n lytic tt cks in th w y th t it w s compos o multipl st ps wh ch 

st p im to CO on it o th oun k y. h outlin o th tt ck 1 o- 
ithm is s ollows 

u ss S„ 0 y usin th t with mo w = 1. 

2 u ss T y usin th t with mo w = 0. 

3 oi=l,...,w— 1 u ss Sn i y usin th t with mo w = i. 

h point th t is impo t nt o us in this 1 o ithm is th t t ch st p 
Ln mo w is fi to c t in lu . 

2 2 

impl m nt this tt ck on 5-16/2 with 2|p— 1/2|“ pi int xt/ciph t xt 

p i s o ch i nt lu o mo w {i. . w — 2\p — 1/2|“ t xts in tot 1). 

h succ ss t w o s o CO in S„ w s oun 11 15% s oppos 
to th 95 99% th t w s xp ct y liski n in. n mo su p isin ly 
th succ ss t i not imp o s w inc s th mount o t us . h s 
suits 1 us to th ollowin o s tions. 

L t i o t = 3, 5, . . . , 2r — 1 not th nt th t th h 1 - oun p- 

p oxim tion 0 = Li_ 0 — Si 0 hoi s. h p o ility o th pp oxim tion 
P{ i) c n c Icul t s 

P{ i) = P{ i I i?i_ mo w = 0) —P{Ri- mo w = 0) 

+ P{ i\Ri- mo w = 0) ^{Ri- mo w = 0). 

P{ i I Ri- mo w = 0) is Iw ys u 1 to 1. P{Ri- mo w = 0) is u 1 to 
1/w n P{ i \Ri- mo w = 0) is u 1 to 1/2 h nc P{ *) is u 1 to 
1/2+1/2W 

n impo t nt point in th - tt ck is th t t ch st p th lu o 
Ln mo w is fi to c t in lu n it is implicitly ssum th t th p o - 
ility o pp oxim tion (1) o s not p n on mo w. his ssumption is 

s on two oth ssumptions 

1. h p o ility P{Ri- mo w = 0) os not p n on mo w; 

2. h p o ility P{ i \ Ri- mo w = 0) os not p n on mo w. 

will to th s two ssumptions s 
sp cti ly. 



n 




1 k 



2 3 

os th t th p o ility o z o ot tion in th n — 2”^* hi- oun i. . 
P{Rn -3 nio w = 0) p n s on L„ mo in h nc ssumption 1 o s not hoi 

Rn—3 — Rn— 

~ {{^n— ^n— ) ^n— ) ^n— 

~ {{^n Sji— ) Rn— ) Rn— ■ 

h o wh n Ln — Sn- is x th ist i ution o Rn -3 is uni o m. 
nc th p o ility P(i ?„_3 mo w = 0) n th o th p o ility o 
pp oxim tion (1) is in p n nt o mo w. 

s n X mpl 1 t (5 not th i nc — S„- mo w n p not 
i ?„_3 mo w. h po ility P(p = 0 | <5 = 0) o u> = 16 is 1.56/w; s oppos 
to th xp ct p o ility 1/w. 

2 2 

Iso os th t ssumption 2 just lik ssumption 1 os not hoi o 

th n — 2”*^ hi- oun ; i. . P( „_ | p = 0) is in p n nt o L„ mo w 

i st w o s th t th h 1 - oun pp oxim tion 

Rn- 0 = Ln-3 0 - Sn- 0 (2) 

c n xp ss in t ms o i?„_ Sn- n p . h pp oxim tion is 

Rn- 0 = Ln-3 0 ~ Sn- 0 

= {Rn- - Sn- ) p - Rn-3 0 ~ Sn- 0 
= {Rn- -Sn-)p -p 0 - Sn- 0 . 

S con w know om S ction 2.3 th t p (i. . Rn -3 mo ic) is u 1 to 
{{{Ln — Sn- ) ^ Rn- ) — Rn- ) mo 1 C. h o w o s th t con itions 

on Ln — Sn- n p to th i in o m tion out Rn- mo w. 

h s two o s tions imply th t wh n Ln — Sn- n Sn- x th 

con ition p = Q i s in o m tion out pp oxim tion (2) n possi ly c us s 

th p o ility P{ Ip = 0) to i nt om 1/2. o x mpl o 

k; = 16 Ln — Sn- = 1 Sn- = 0 th p o ility P{ I p = 0) is u 1 to 

0.494 s oppos to 0.5. 

t this point w shoul m k th t th p o ility o th pp oxim tion 

o s not p n on th top w — \ w its o Sn- ■ his ct is c us p n 

Ln — Sn- i in o m tion out only th 1 st 1 ic its o i?„_ ; th o 

{Rn- — Sn- ) p h s uni o m ist i ution wh np— lie Isso Sn- ■ 

2 

n y st p o th tt ck th i nc — Sn- is x . h n — Sn- is 
X Rn -3 n Rn- h non-uni o m ist i ution. his ct h s two cts 




N 



s Its 



r r pt 1 s s o 



on th p o ility o th n — 2"'^ hi- oun pp oxim tion i st th p o - 
ility P{Rn -3 nio w = 0) m y i nt om 1/w. S con th p o ility 
P( n- I Rn -3 mo w = 0) m y i nt om 1/2. 

1 4 in pp n ix lists th iso pp oxim tion (2) o i nt In s 
o Ln — Sn- mo w n Sn- mo w o w = 16. h t is p ticul ly impo t nt 

in 1 4 in th tt ck o liski n in is th n ti nt i s which 

CO spon toth c s p< 1/2. Succ ss o St ps 2 n 3 o th tt ck p n s on 
th ssumption th t p > 1/2 o y sin 1 In o mo w. th 

nt y o 1 4 is n ti th n o Sn- mo w = j th tt ck ils with 

y hi h p o ility t th st p wh L„ — Sn- mo w is x to i n th 

ilu p o ility o s to on s th mount o t us o s to in nity. ith 
sp ct to th num s in 1 4 w c Icul t th t th succ ss t 

o th tt ck o CO in th 1 st oun k y Sn in 5-16/2 o s to 9.375% 

s th mount o t o s to in nity. Iso c Icul t th succ ss t with 

2|p — 1/2|“ t xts s 13.9%. h s suits m tch ou xp im nt 1 suits in 
S ction 2.2 y w 11. 



lop num o n w lin c ypt n lytic tt cks on 5. h y 11 

us pp oxim tion (1) ut th y i nt om th tt ck o liski n in 

in th w y th y us th pp oxim tion to co th oun k y S'„. Ou tt cks 

simil to “ 1 o ithm 2 o M tsui 3 which is som tim s s th 

un oil th 1 st oun n su stitut th ctu 1 lu o 0 

in pp oxim tion (1) which is (i?„ — S'„) p — 0 wh p not s mo w 

(i. . th ot tion mount in th 1 st h 1 - oun ). So th pp oxim tion com s 

i?0 6 -{Rn-Sn) P -LnO = T. (3) 

n impo t nt i nc o ou tt cks om th 1 -m tho o M tsui is th t 
wh n w su stitut w on lu s o in pp oxim tion (3) th iso 
th pp oxim tion is z o. Mo o th i s c n xp ss in t ms o 
s,Sn,p n th p o ility o th pp oxim tion s will shown in S ction 4. 

Ou tt cks c n cl ssi into two typ s n th st on w x p (i. . 

Ln mo w) to c t in lu t ch st p n w im to co on k y it 

t tim . will to th tt cks o this typ s th . n th 

s con typ o tt ck w im to co oup o cons cuti k y its t th 

s m tim . will to th tt cks o this typ s th 

will sc i th tt cks in mo t il in S ctions 5 n 6. 

n impo t nt issu in th xp im nt 1 comp ison o th tt cks 

p s nt in th ollowin s ctions is th t th y 11 un on 1 ti ly sm 11 
sions o 5 such sr = 2,4. h son o this choic o sm Up m t sis 
just to m k th xp im nts comput tion lly si 1 . Ou tt ck t chni u s 11 

us th s m pp oxim tion (i. . pp oxim tion (3)) n th y i only in th 

w y th y us this pp oxim tion to co th s c t k y. h o inc sin 

th num o oun s o s not h much ct on th 1 ti p o m nc o 
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h i 1 s not s th possi Iky lusthtcn ti o 
Sn 0 ■ ■ ■ p ■ ns not s th num o i nt In s o 0 . . . p such th t 

(i?„ — s) p = {Rn — Sn) p . S'„ is th k y th t i s om S'„ only t th p*^ 
it. 

th s tt ck t chni u s n th xp im nts with 1 ti ly sm 11 In s o r 
i n 1 comp ison o th tt cks. 



s m ntion in S ction 3 som thin sp ci 1 with pp oxim tion (3) is th t 
wh n w on k y In s is su stitut o Sn th i s o th pp oxim tion is 

not z o. n impo t nt o s tion to un st n th h io o th pp oxi- 

m tion is th ollowin . h n s is su stitut o Sn in pp oxim tion (3) th 
suit is th s m s th suit o i n only i (i?„ — s) p is th s m s 
{Rn — Sn) p ■ h s two its wh n on o th ollowin two con itions is 

s tis 

L t Smin not min^„ 0...p — l,s0...p — 1— n simil ly 1 t S^ax 
not m x-Sn 0 ... p — 1 , s 0 . . . p — 1 — 

1. sp — Sn P n Rn 0 . . . p 1 ^ Sniin ^ Rn 0 ... p 1 Sniax- 

2. S p = Sn P n Sniin S Rn 0 ... p 1 < Sniax- 

L t rig not th num o i nt In s o 0 . . . p such th t w h 

{Rn — s) p = {Rn — Sn) p . i u 1 illust t s th In o rig o 0 < s < 2'’ . 




N s Its r r pt 1 s s o 7 

Mo sp ci c lly Us is 2^ o th co ct k y S'„; it c s s y two s s ts 

u th om Sn in ith i ction; n it is z o t which not s th k y 

th t i s om Sn only t th it. 

ssumin th t th p o ility th t th pp oxim tion hoi s n th p o - 

ility th t th suit o th pp oxim tion is th s m o oth s n 

in p n nt (wh oth p o iliti s t k n o th pi int xt) w o t in 

simil u o th i s o th pp oxim tion with s sn stitut o Sn- in 

2 shows th xp ct iso pp oxim tion (3) o i nt In s o s. L t 

N not th num o pi int xt/ciph t xt p i s s tis yin L„ mo w = p o 
som X p. \j t Us not th num o thos t xts such th t th 1 t si 
o pp oxim tion (3) is 1 wh n w su stitut s o Sn n I t Bg not th 
i s Us — N/2. i u 2 illust t s th xp ct is Bg o 0 < s < 2^ 
ssumin Bs„ > 0. 

h si ni c nc o in 2 is th t it shows wh t th xp ct iso pp ox- 
im tion (3) will wh n L„ mo w is x n w on In s is su stitut 

o th oun k y Sn- his h io o th i s h s c uci 1 ol in th tt cks 

w lop in this p p sp ci lly in th 1- it tt cks (s S ction 5). 



E[S,1 



Nip-l/2) 



0 



-N(p-l/2) 



2 xp ct iso i nt In s o s o mo w = p- Sn is th 
k y th t i s om th co ct k y only t th p — 1®* it. p not s th 
p o ility o th pp oxim tion i n L„ mo w = p- 
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n this s ction w iscuss th tt cks th t co th oun k y in itwis 

shion (i. . co in on it t tim ). h im o th s tt cks is to co 

th k y it 5'n p — 1 y usin th t with mo w = p n i n th t th 
k y its S'n 0 . . . p — 2 1 y co .hi o tt ckin th p — 1®* 

it inst o th p*^ on is inspi y th ct th t p m y ith 1 ss o 

t th n 1/2 p n in on th In o p S'„_ n Sn- (s pp n ix 

). Mo o th num th t i s om S'„ only t th p*^ it h s th 

X ct in s i s o th CO ct k y S'n (i. . Bs^ = —Bs„) o th t with 

L„ mo w = p(iu 2). h o wc nnot istin uish tw n S'„ n S'„ 

y usin th t with mo w = p sine w o not know i p > 1/2 o not; 

n w c nnot know i S'„ p is 0 o 1. ut this is not th c s o Sn p — ^ 
th num th t i s om Sn only t th p — 1®* it h s z o xp ct is 
o th t with Ln mo w = p lssop(iu 2). h o wen 

istin uish tw n n n h nc n out S'„ p — 1 y usin th t 

with Ln mo w = p n i p < 1/2. 

11 o on 1- it tt cks s on n ic tt ck 1 o ithm. ssum 

w h CO th k y its Sn 0 . . . p — 2 n 1 t sq n s not th two 

c n i t s 0 ^„ 0 ... p — 2 n 1^„ 0 ... p — 2 sp cti ly wh — not s 
st in cone t n tion. o t = 0, 1 is st tistic 1 i 1 which is suppos 
to 1 o th CO ct k y n sm 11 o w on k y. h n ic tt ck 
1 o ithm is s ollows 



omput Ag^ o t = 0, 1. 

2 Ag. — Ag. u ss S'n p — 1 =0; oth wis u ss p — 1 =1. 

On 1- it tt cks n y th i nition o th i 1 Ag^. L t Sg^ 

not th s t o points in th 2^~ n i h o hoo o i. . th s t n y 
Sg^ = —s |s — Si| < 2^ — 

As, = \Bg,\. 

2 = IE« ^.Bg\. 

3 A. =E. jBg\. 

As, = m Xs 

ntuiti ly tt ck 1 simply comp s th i s o sq n s . h oth th 
tt cks on th oth h n Iso us th i s s o th points in th 2^“ n i h o - 
hoo o So n s (th choic o 2^~ is c us sq + 2^~ is th mi -point o sq 
n s ). s will iscuss sho tly on xp im nts h shown th t tt ck 

1 h s th st succ ss t mon th on . 

c Icul t th succ ss to tt ck 1 s 

N p- / 1 1 

-=e~yA dy-=e~^' / dx, ( 4 ) 

Np- / 2 tt 2tt 





N 



s Its 



r r pt 1 s s o 



tt ck 2 s 

. 3 N p- / 1 1 

-=e~y ! dy-=e~^' ! dx. (5) 

. 3 N p- / 2tt 2tt 

t is not st i ht o w to o t in clos - o m th o tic 1 suit o th suc- 

c ss to tt cks 3 n 4. h o w comp th tt cks xp im nt lly 

on 5-16/2 on s mpl o 10 000 i nt c s s n o i nt In s o p. 
h xp im nt 1 suits in ic t th t tt ck 1 is th st mon th ou . o 
tt cks 1 n 2 th xp im nt 1 suits m tch th th o tic 1 suits i n 
in (4) n (5) y w 11. 



n th succ ss t o 




z 



tt cks 1 n 2 spcilcsso mo n 1 tt ck which w c 11 

th c? n i h o hoo o sf, i. . = s |s — Sj| < d— 

n ic tt ck 1 o ithm with Ag. = \ I- 

sttckloc?=Onthsm sttck2o(i = 2^“ . 
succ ss t o tt ck pp oxim t ly s 

Np- / ^ ^ _ 

— e ^ ! dy — —e ^ ^ dx, 

N p- / 27T 27T 

which is m ximiz t d = 0. his suit impli s th t tt ck 1 h s th hi h st 

succ ss t mon 11 sions o tt ck . 



L t Sg.^d not 
tt ck us s th 
th t this is th s m 
c Icul t th 




2 

limit tion o tt ck 1 n Iso oth 1- it tt cks iscuss so is z o 

i s (i. . p = 1/2) which occu soctin lusop S'„_ n Sn- (s 

pp n ix )• n such c s s th s tt cks no tt th n n om u ssin . 
On w y to o com this p o 1 m is to us th t with mo w > p s w 11 

s thos with L„ mo w = p to co S'„ p — 1 . 

p s nt such mo i c tion o tt ck 1 which w c 11 . t us s 

th t with Ln mo w = p+1 swll sth t with mo w = p to u ss 

•Sn p - 1 

s in tt ck 1 1 t So n s not th two c n i t s 0^„ 0 ... p — 2 
n l-Sn 0 ... p — 2 sp cti ly n simil ly 1 t Si not iSn 0 ... p — 2 o 
1 = 00,01,10,11- hi o tt ck 1 is to comp th i s o ou possi 1 

k y c n i t s Sqo sq s q s . th i s is m ximiz o Sqo o s q w 

u ss S'n p — 1 s 0 oth wis w u ss it s 1 . he Icul tion o th iso 
th s ou points is s ollows. s in tt ck 1 Bg. n Bg. not th i s 

osgnstkno th t with L„ mo w = p. Simil ly Bg^ not s 
th i s o Si o 1 = 00,01,10,11 mo w = 
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p + 1. u ss S'„ p — 1 = 0 i \Bs. I + m x-|i?s.. |, \Bs.. |— is t th n 

|_Bs. l+m I, |— 0th wis w ussS'„p— 1 = 1. ( his is th n ic 

1- it tt ck 1 o ithm wh is n s + m x-|i?s. J, |i?s. J— ) 

xp im nt lly comp tt ck 1 n tt ck 1 on 5-16/2. h x- 
p im nt 1 succ ss t s i n in I 1. N not s th il 1 num 

o t xts o ch p ticul In o L„ mo w. h suits show th t tt ck 1 

is si ni c ntly tt th n tt ck 1. 



N 


1,000 


,000 


O 

o 

o 

o' 


o 

O 

o 

o 


100,000 


tt k 1 


7 . % 


1. % 


6. % 


. % 


.1% 


tt k 1 


6. % 


6. % 


.0% 


. % 


. % 



Succ ss to tt ck 1 n 1 on 5-16/2 o co in on 
it o th 1 st oun k y S'„. h xp im nt 1 suits show th t tt ck 1 is 
si ni c ntly tt th n tt ck 1. 



hi o th multi- it tt ck is nit st i ht o w nst o xin L„ mo 
w t ch st p c Icul t th iso th t with m ny i nt In s o 

Ln mo w. know th t wh n mo w is x th h io o th iso 

w on k y is not n om (s S ction 4). y t kin th iso m ny i nt 

In s o Ln mo w w hop th t th is will h mo “no m lly ( i. . 
z o xp ct iso w on k y positi xp ct i s o th co ct k y). 



Ithou h th o m 1 sc iption o th multi- it tt ck m y pp complic t 

n ct it is lly intuiti . Suppos w h 1 y co th k y its 

SnO ■ ■ - k n w oin to co th n xt £ its Sn k + 1 ... k + £ . h 

iso chkycni tis comput o th t with k+1 < L„ mo w < 

k + £. h on with th hi h st i s is cc pt . h o m 1 sc iption o th 
1 o ithm is s ollows 

Us not s th num o th t xts such th t th 1 t si o pp oxim tion 

(3) is 1 wh n w su stitut s o S„. h xp ssion S'n 0 . . . fc not s th p t 
o th oun k y th t h s n co so . £ not s th num o th 

k y its th t is tt ck t on it tion o th 1 o ithm. One th s £ its 

CO th 1 o ithm is p t o th n xt f its o S'„. 

k,£ 

o 0 < i < 2^ comput Ui s„ o...k o th t with k + 1 < Ln mo 
w < k + £. 





N s Its r r pt 1 s s o 11 

2 cc pt i th t m ximiz s th is |C/j Sn o...fc ~ -^/2| wh N is th 

num o t with k + 1 < L„ mo w < k + £. 

h choic o th p m t £ is m tt o t -o . h comput tion 1 

compl xity o th tt ck inc s s s t' ts 1 . Mo sp ci c lly th num 

o cti t xt its t n it tion o tt ck M is /c + 1 + £ n th num 

o cti k y its is £. nc th comput tion 1 compl xity o n it tion o 

tt ck M is 2 ^ ^ (s M tsui 3 ) . h o th comput tion 1 compl xity 

o CO in oun k y o w its is 2 ^ o I i i in w. On th oth 

h n th li ility o th u ss s Iso inc s s s £ ts 1 sp ci lly thos 

o th low o its s will shown in S ction 6.2. h o th hi o £ 

shoul ci with sp ct to th const ints o th il 1 comput tion 1 

pow tim n th si succ ss t . 

ut tt ck M h s som limit tions. o x mpl suppos w t yin to 
CO th k y its Sn k + 1 ... k + £ n 1 t not th k y th t is th 

s m s S'n in y it xc pt o th fc + on . h i s o n S'„ 

t k n o th t with fc + 1 < L„ mo w < k + £ will x ctly th s m 
sine th y x ctly th s m t its 0, Ij • ■ • j ^ ^ ~ 1- k n o th t 

with Ln mo w = k + £ th iso S„ will th in s o th i s o S'„ 
(s S ction 4). h o wh n th i s o mo w = fc + ^ is n ti 
(i. . p < 1/2) w inco ctly uc th t is th co ct k y with y hi h 
p o ility! Simil um nts pply to th low o its s w 11 ut th i 
ct is 1 ss si ni c nt. his ct impli s th t th u ss s o th hi h o 
its will not y li 1 s illust t y th xp im nt 1 suits in S ction 

6.2. 



2 



t st tt ck M on 5-16/2 o f = 6, , 10 on s mpl o 10 000 i 

nt c s s. Ou suits i n in 1 2. h nt i s in th t 1 s in 

s p c nt o th 10 000 t i Is. h column o th t Is not s th 

p c nt o u ss s th t CO ct t th its low th n i ut w on t th 

it. noth impo t nt point out th t 1 s is th t th t mount N 

not s th il 1 num o t xts o i nt lu o mo w { . . 

o f = 10 th tot 1 num o t xts us is 10 — N). chos this w y o 
p s nt tion to m k th comp ison tw n th t Is si . 

h xp im nt 1 suits show th t th succ ss t o th low o its 

imp o s s £ inc s s. ut this imp o m nt com s 1 ss si ni c nt o hi h 

t mounts, noth impo t nt point is th t inc sin th t mount o s 
not h Ip yon c t in point n th ilu t s t th low o its 

Imost st iliz oun 0. 0.9%. 

h hi h ilu t s t hi h o its u to th ct iscuss t th 



n o S ction 6.1 n th succ ss t o th s its c nnot imp o yon 
c t in point n with unlimit mount o t . h o w su st 
isc in th top two its u ss n st tin th n xt it tion o th tt ck 



to inclu th s its s w 11. h siz o th isc p t m y 



nt o 



1 




1 
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£ 


1 1 r t t 1 


N 


0 


1 










1,000 


. % 


. % 


.0% 


. % 


. % 


.1% 


10,000 


1.6% 


1. % 


. % 


1. % 


.1% 


7.1% 


100,000 


1. % 


1. % 


1.6% 


1. % 


. % 


7. % 


1,000,000 


0. % 


1. % 


1.7% 


1.6% 


.6% 


7. % 



£ 


1 1 r t t 1 


N 


0 


1 










6 


7 


1,000 


7.1% 


.7% 


. % 


.7% 


. % 


. % 


6.0% 


7.7% 


10,000 


1. % 


1. % 


1. % 


1. % 


1. % 


. % 


.1% 


6. % 


100,000 


0. % 


0. % 


0. % 


1. % 


1. % 


1. % 


. % 


7. % 


1,000,000 


0. % 


0. % 


0. % 


1. % 


1.1% 


1. % 


. % 


7. % 



£ 0 


1 1 r t t 1 


N 


0 


1 










6 


7 






1,000 


.6% 


.7% 


. % 


.6% 


. % 


.0% 


. % 


. % 


.6% 


7.6% 


10,000 


1.1% 


1. % 


1. % 


1. % 


1. % 


1. % 


1.6% 


.1% 


.7% 


7. % 


100,000 


0. % 


0. % 


1.0% 


0. % 


0. % 


1.1% 


1. % 


1. % 


.6% 


6. % 


1,000,000 


0. % 


0.7% 


0. % 


0. % 


0. % 


1. % 


1.1% 


1. % 


. % 


7. % 



2 ilu t s o tt ck M on 5-16/2 o £ = 6, , 10. h column 
p s nts th p c nt o u ss s th t co ct t th its low th n z ut 
w on t th z*^ it. h suits show th t th tt ck ts tt s £ inc s s; 

ut this imp o m nt is 1 ss si ni c nt wh n th mount o t us is hi h . 



i nt wo siz s n shoul t min xp im nt lly (o th o tic lly 

i possi 1 ) . not th siz o th isc p t y j n th ollowin 

st p to th 1 o ithm tt ck M 

3 isc th top j its o th k y stim t . 



comp th two tt ck st t is xp im nt lly on 5-16/r o r = 2,4. 
1 3 lists th succ ss t s o tt ck 1 n tt ck M o u ssin th st 
i ht its o Sn- tt ck 1 p s nts th most succ ss ul 1- it tt ck. N not s 

th num o pi int xts il 1 o ch i nt lu o L„ mo w. s 
iscuss in S ction 3 n thou h th xp im nts un o 1 ti ly sm 11 
lu s o r th y i n 1 comp ison o th tt cks m inly c us th 



1 ti p 0 m nc 0 th tt cks will not 


ct 


much y n 


inc 


s in 


r sine th y 11 us th s m pp oxim tion. 
h suits su st th t tt ck M h s 


tt 


succ ss t 


0 sm 11 


mounts 0 t ut tt ck 1 com s tt 


s th 


mount 0 


il 1 


t 




N 



s Its 



r r pt 



1 s s o 



1 



r 


N 


tt k 1 


tt k 




1,000 


.1% 


6 . % 




10,000 


. % 


.7% 




100,000 


. % 


1.7% 




1,000,000 


. % 


.1% 




1,000 


0.6% 


0.7% 




10,000 


0. % 


0. % 




100,000 


. % 


6. % 




1,000,000 


0. % 


.0% 



3 Succ ss t s o tt ck 1 n tt ck M on 5-16/r o co in 

th st i ht its o Sn- h suits show th t tt ck M is tt o sm 11 

mounts o il 1 t . h succ ss t s 11 sh ply s r inc s s. 



inc s s. n nt o tt ck 1 o tt ck M is th t th succ ss t 
o tt ck M o s not imp o much yon 92% 1 ss o th inc s in 

th t mount, ut th is no such limit on th succ ss to tt ck 1 . 

si s th 1- it tt cks h two oth nt so th multi- it tt cks. 

i st th y comput tion lly 1 ss xp nsi . S con w on u ss in 1- it 

tt ck c n t ct li n c n co ct mo sily sine th i s s 
t w on it u ss will si ni c ntly sm 11 th n wh t is xp ct 

h m tic c s in th succ ss t s s th num o oun s r inc s s 
su sts th t on tt cks not p ctic 1 non h to k 5 o 1 In s 

o r n w. his thou ht is Iso suppo t y th ct th t 11 o on tt cks 
s on pp oxim tion (1) which h s nit low i s o 1 In s o 

r n w. t this point it is not possi 1 to c Icul t th x ct succ ss t s 

o i n mount o t . his ct is u to th 1 ck o cone t o mul 

o th 1 tion tw n th p o ility o pp oxim tion (1) n L„ mo w. 

ow w conj ctu th t th t ui m nt o si ni c nt succ ss t 

will comp 1 to |p— 1/2|“ th t is 4w which is imp ctic lly hi h o 
son ly hi h In s o w n r (i. . w — 32 r — 6). 



p s nt som n w suits out lin c ypt n lysis o 5. i st w 
show th t th tt ck o liski n in 1 os not wo k s xp ct u 
to som un xp ct cons u nc s o xin mo w. stu i th st tistic 1 
h io o pp oxim tion (1). h n w p s nt som n wt chni u so usin 

this pp oxim tion to co th 1 st oun k y S'„. 

On suits on th tt ck o liski n in h s si ni c nc s yon th 

lin c ypt n lysis o 5 t is si ni c nt to mph siz th t hi n ssump- 
tions m y h xt m ly s ions cons u nc s. t is Iso si ni c nt to show th t 





1 



1 k 



xtmc hsto tkn wh n pplyin m tho lop o sp ci c 

ciph to ciph o i nt typ . 

h tt cks w p s nt in this p p x mpl s o how lin c ypt n 1- 

ysis c n c y on wh n th i s is i nt om zoo w on k y su stitut 
in th pp oxim tion. t this point it is not possi 1 to c Icul t th x ct suc- 
c ss t o on tt cks u to th 1 ck o cone t o mul o th 1 tion 

tw n th p o ility o pp oxim tion (1) n mo w. ow w con- 
j ctu th t th t ui m nt o si ni c nt succ ss t will comp 1 

to \p— 1/2|“ which is imp ctic lly hi h o on pp oxim tion. how 

li th t 5 still m ins s cu inst lin c ypt n lysis. 

h m ny op n s eh p o 1 ms th t to sol out th lin 

c ypt n lysis o 5. n impo t nt on is to o t in th o tic 1 suit o th 
1 tion tw nth p o ility o pp oxim tion (1) n — 5'„_ n S'„_ . 

n this w y it will possi 1 to o t in th o tic 1 suits o th succ ss t o 

th tt cks th t s on pp oxim tion (1) inclu in th on s p s nt 

in this p p . Mo o it shoul possi 1 to us such 1 tion in n tt ck 
which o t ins u th in o m tion out th oun k ys S'„_ n S'„_ . 

noth si ni c nt imp o m nt will to lop tt lin c ypt n - 

lytic tt cks th n th on s p s nt h . ow ny tt ck s on p- 

p oxim tion (1) will limit y th low i s o th t pp oxim tion. h o 

n in tt pp oxim tion is ss nti 1 to imp o in th lin c ypt n lysis 
o 5 si ni c ntly. ut ny s eh t yin to n tt lin pp ox- 
im tion shoul wop oposition o liski n in 1 th t st t s 

limit tion o lin pp oxim tions o 5. 

w y to ci cum nt this limit tion my to us non-lin pp oxim tions 

2 ; not just t th n oun s ut t th int m i t oun s s w 11. h m in 

son o usin lin pp oxim tions in S-lik ciph s is th t it is sy to 

n pp oxim tions o S- ox s sine th y 1 ti ly sm 11. Mo o i n 
pp oxim tion o n S- ox is lin it c n ist i ut to n st t in t ms 
o th input output n k y its o th t oun . ut this um nt is not t u 
o 5 sine it os not h sm 11 su - locks lik S- ox s. Mo o usin 

lin pp oxim tions o s not h th nt o in sily ist i ut 

to input output n k y its s it is in S. h o w li th t t 1 st 

th o tic lly n in non-lin pp oxim tion o 5 is not su st nti lly mo 
ifhcult th n n in lin pp oxim tion. ut it shoul not th t n in 
n pp oxim tion o 5 is not n sy t sk in n 1 sine th no sm 11 

su - locks lik S- ox s. 

s 1 st minut not w h c ntly oun out th t th p o ility p o 
pp oxim tion (1) is u 1 to - -I- which w s c Icul t y liski n 

in. h son o this un xp ct suit is th t th two cons cuti hi- oun 
pp oxim tions Ri 0 = L^_ 0 — Si 0 n Ri 0 = 0 — St 0 not 

in p n nt n th o th pilin -up 1 mm c nnot us to c Icul t 

th p o ility o pp oxim tion (1). xp im nt lly oun out th t th 

p o ility p is xt m ly k y p n nt n it c n lot i nt om — h 

p n in on th k y. n wh n o th k ys th p o ility 




N 



s Its 



r r pt 1 s s o 



1 



0 pp oxim tion (1) is lot i nt om — I — . ow this n w n in 

1 s th whol issu o lin c ypt n lysis o 5 s n op n u stion. 



t ully cknowl th in In 1 iscussions with M tt o sh w n Lis 
in. woul lik to th nk to 1 n Sh m n o his comm nts on th p p n 
woul lik to th nk to L o yzin o his h Ip with th impl m nt tion o th 

tt cks. m th nk ul to 11 my instth S L sothi suppo t n 
i n ship u in my isit th 



1... Isk .. .O rtl 1 rrptlssot 



r pt o 1 or t m. . opp rsm t , tor, 

, p s 171 1 . pr r rl , N ork, 1 

s .os. No -1 r ppro mtos 1 rrpt 1- 

s s. U. r r, tor, , p s 6. 

pr r- rl , N ork, 1 6. 

ts . rrpt Isso p r ). “••,topp r. 

ts . r r pt 1 s s m t o or P r. . 11 s t , tor, 

• ••••••• •• •••••••••• • •••••••• ••• * p s 6 T pr r~ rl rl 

1 

st. r pt o 1 or t m. 



, p s 6 6. pr r- rl , N ork, 1 



h p o ility o th hi- oun pp oxim tion 

Rn- 0 = L„_3 0 - 0 (6) 

p n s on th In o (L„ — S'„_ ) mo w n S'„_ mo w. his ct impli s 

th t wh n Ln Sn- n Sn- x th i s o th pp oxim tion m y 

i nt om its i s l/2w. 1 4 lists th iso pp oxim tion 

(6) o i nt In s o (L„ — S'„_ ) mo w n S'„_ mo wo w = 16. 

h s In s comput y xh usti ly oin th on h 11 possi 1 In s 

o h p m t S not s th i nc (L„ — S„- ) mo w. h 

nt i s o th t Is th ctu 1 i s s s p opo tion o th is 

l/2w (i. . {p-l/2)/{l/2w)). 




a 



a 



a 



hiho ori i keshi himoy m n oshino u K neko ^ 
( 1 ommuni tions v n m nt rg niz tion of p n) 

^ i n niv rsity of okyo 



his p p r propos s n w high r or r iff r nti 1 tt k 

h high r or r iff r nti 1 tt k propos t 97 y ko s n 
n Knu s n us xh ustiv s r h for r ov ring th 1 st roun k y 

ur n w tt k improv s th ompl xity to th ost of solving lin r 
syst m of qu tions s n x mpl w show th high r or r iff r nti 1 
tt k of iph r with 5 roun s hr quir num r of hos n 

pi int xts is 2 ^ n th r quir ompl xity is 1 ss th n 2^ tim s th 

omput tion of th roun fun tion ur xp rim nt 1 r suits show th t 
th 1 st roun k y of th iph r with 5 roun s n r ov r 

in 1 ss th n 15 s on s on n Itr st tion 



igher or er ifferenti 1 tt k is one o the power ul Ige r i rypt n lyses, t 
is use ul or tt king iphers whi hue represente s oole n polynomi Is 
with low egrees. ter L i mentione ryptogr phi signifi n e o eriv tives 
o oole n un tions in 12 Knu sen use this notion to tt k iphers whi h 
werese ure g inst onvention 1 ifferenti 1 tt ks 11 . t ’97 ko sen n 
Knu sen 7 g ve n extension o Knu sen’s tt ks n roke the ipher with 
qu r ti un tions su h s the ipher J\f 1 n the s heme y Kie er 10 . 

hese were prov ly se ure iphers g inst ifferenti 1 n line r rypt n lysis, 
urthermore t W’97 himoy m ori i n K neko 1 essenti lly re u e 
the omplexity n the num er o hosen pi intexts require or the higher or er 

ifferenti 1 tt k o the ipher J\f. n this p per we gener li e the higher or er 

ifferenti 1 tt k es ri e in 1 n pply it to iphers. 

iphers re mily o symmetri iphers onstru te using the 
esign pro e ure 1 propose y ms n v res. he esign pro e- 

ure es ri es th t they ppe r to h ve goo resist n e to ifferenti 1 rypt n - 

lysis 5 line r rypt n lysis 15 n rel te -key rypt n lysis . known t- 

t k on iphers is the tt k whi h uses we knesses o non-surje tive 

roun un tions n it requires 2^^ known texts or ipher with 6 

roun s 16 . 

n this p per we emonstr te th t some o symmetri iphers onstru te 
using the esign pro e ure n e roken y our higher or er ifferenti 1 

u y st t r ry t 372 7 3 

O I" I" ^ ^ 
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tt k i the num er o roun s is sm 11. -12 is mous ex mple 

ipher use in sever 1 ommer i 1 ppli tions ut this is not our t rget. 

12 seems resist nt to our tt k. 

iphers use the eistel stru ture use in . he esign 

pro e ure Hows wi e v riety o roun un tions. t h s su stitution oxes 

( - oxes) with ewer input its th n output its (e.g. x 32). here re sever 1 

propos Is or - oxes. or ex mple 3 suggeste onstru ting the - oxes rom 

ent un tions. L ter on 6 iphers with r n om - oxes were propose . 

n our tt k we use the - oxes propose or -12 1 2 se on ent 

un tions. s or oper tions use or om ining input n su key or output 
results o - oxes the esign pro e ure es ri es th t simple w y is 

to spe i y th t 11 oper tions re s. Ithough other oper tions ( ition 

n su tr tion mo ulo 2^^ multipli tion mo ulo (2^^ ± 1) et .) m y e 

use inste we ssume th t the ipher o our t rget uses s or 

11 oper tions. 

We expl in the higher or er ifferenti 1 tt k o this ipher with 5 

roun s. We egin y fin ing the oole n polynomi Is o 11 output its o 
oxes. he polynomi Is show th t 11 egrees re . When 11 oper tions in the 
roun un tion re s the egree o the roun un tion is t most . the 
right h 1 o pi intext is fixe t ny v lue the egree o the right h 1 o the -th 
roun is t most 16 n the 16-th or er ifferenti 1 e omes oust nt. hus we 
n onstru t the tt k equ tions or re overing the 1 st (i.e. 5-th) roun key. 
n 7 exh ustive se r h w s use or fin ing the true key. their tt k 
were pplie to this ipher with 5 roun s the require omplexity woul 

e 2 times the omput tion o the roun un tion using 2 ^ hosen pi intexts, 
ur new tt k n re over the 1 st roun key y solving the line r system o 
equ tions. s result the require num er o hosen pi intexts is 2 ^ n the 
require omplexity is re u e to less th n 2^ times the omput tion o the 
roun un tion. ur experiment 1 results show th t 11 1 st roun key its o 
the ipher n e re overe in less th n 15 se on s on un Ultr 2 

workst tion (Ultr 200 ). 
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he ollowing propositions re known on the higher or er ifferenti 1 o 
oole n un tions. 

ropos t o 12 ds (2)^ d 

C (2)2 

. . () * ( ) 



C (2)2 d d 

s 

( ) 

( ) 0 

2 2 tta ro ur 

he ollowing is the tt k pro e ure o our higher or er ifferenti 1 tt k o 
n iter te lo k ipher with lo k si e 2 n roun s. Let e the -th 

roun su key n e h su key e its i.e. ( _ g ). Let 

e set o V ri les o i.e. _ g . 

ere we es ri e “( — l)-roun tt k where we fin ert in onst nt 

V lue whi h is in epen ent o the key (e.g. the higher or er ifferenti 1 o the 
output o the ( — l)-throun ) n onstru t the tt kequ tions or re overing 
the 1 st roun key. ourse “( — 2)-roun tt k is possi le though solving 

o the tt k equ tions e omes r ther iffi ult. 

We ssume th t the tt ker h s or n ompute 11 hosen pi intexts in 
n the orrespon ing iphertexts where is the tot 1 egree 
o the output o the ( — l)-th roun n is ny v lue in (2)2 . or some 

lo k iphers the tot 1 egree o the output o the ( — l)-th roun my e 

iffi ult with hoi es o n . owever we on’t onsi er it in this 

p per. 

ven i the Igorithm o the ipher is not open (i.e. i it is Ik ox) 
our tt k is ppli le when we know the tot 1 egree o the output o the 
( — l)-th roun y some w ys. n this se we st rt rom step 2. 

t r o rou u t o n tt king iter te iphers y 

higher or er ifferenti 1 tt ks it is use ul to represent the roun un tion y 
oole n polynomi Is. We n get the egree over (2) o e h output it o 
the roun un tion rom these polynomi Is. he in orm tion on whi h terms re 
in lu e in the polynomi Is is Iso help ul in step 3. 

We egin y representing - oxes y oole n polynomi 1 un tions. When 
the es ription o the - oxes is not given s some Ige r i expressions we ons- 
tru t oole n polynomi 1 un tions rom the es ription t les (see e tion .1). 



ropos to 1 

eg ( ( )) 
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2 o put t rorr rtao output o t (* — t 

rou ur higher or er ifferenti 1 tt k is possi le or n integer 1 

2 when the -th or er ifferenti 1 o the output o the ( — l)-th roun is 

ert in onst nt v lue whi h is in epen ent o the key. When is this on ition 
true ne is when the egree o the output o the ( — l)-th roun is — 1. 

nother is when the input n su keys re om ine with s simply n 
the egree o the output o the ( — l)-th roun is . n this se the tot 1 

egree o the output o the ( — l)-th roun with respe t to X is equ 1 to the 

tot 1 egree with respe ttoXn ( 1 — l)e ore the egree 

re hes 2 (see 1 reposition 1 ). 

n these ses the -th or er ifferenti lo the output o the ( — l)-throun 
n e ompute y using reposition 1 without knowing the true key. 



3 o stru t atta uat o s or r ov r t ast rou y 

We give the et ils in the se o eistel ipher. Let ( ) n 

( ( ) ( )) where enotes the le t h 1 o pi intext enotes the 

right h 1 enotes the oole n polynomi 1 un tion o le t h 1 o iphertext 
n enotes the ve tor oole n polynomi 1 un tion o right h 1 . Let ~ ( ) 

e the ve tor oole n polynomi 1 un tion o the right h 1 o the output o the 
( — l)-th roun . hen we h ve 

( ( )) ( ) ~ ( ) 



the -th or er ifferenti 1 o 
or line rly in epen ent 

( ()) 



( ) is 
c 



onst nt we h ve the ollowing equ tion 
(2)2 n ny (2)^ . 

( ) ..'()( ) 



we h ve 11 pi intexts in n orrespon ing iphertexts 

we o t in the ollowing equ tion y omputing e h term using reposition 1. 



( ( )) ( ) ' ( ) ( 1 ) 



the tot 1 egree o is (1) equ tion (1) h s egree —1 with respe t 
to . his is e use we n rewrite the first term o equ tion (1) s ollows. 

( he first or er ifferenti 1 o un tion o egree h s egree — 1.) 

( ()) 

( ( » ( ( )) 

■ ( ( )) ( ( ))■ 

\{ 

( ( )) ( ( ) ( )) 



... 
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in e is ve tor oole n un tion ompose o oor in te oole n un tions 
equ tion (1) orms the system o Ige r i equ tions o egree — Iwith unk- 
nowns. (Note th t is the num er o its o the 1 st roun key .) We h ve 
some w ys to solve the system o Ige r i equ tions n in this p per we t ke 

simil r w y s one es ri e in . h t is we tr ns orm it to the system o line r 

equ tions where we reg r 11 monomi Is on in equ tion (1) s in epen ent 
unknown v ri les. ere ter enotes the num er o the unknown v ri les. 
When 2 the unknown v ri les re _ g n . When 

3 the unknown v ri les re _ o _ _2 o 

n 2 - iinil rly when , 2 3 - When the 

tot 1 egree o is is t most ~ . tu lly is mu h sm Her 

th n this upper oun e use oefh ients o some o the unknown v ri les 
n n el e h other out or e use some o these unknown v ri les on’t 

exist or some . in ing sm 11 is import nt or re u ing the omplexity. 

ener 1 theory on tighter upper oun o will ppe r in nother p per. 
the num er o unknown v ri les o the line r equ tions ( ) is 1 rger 

th n we h veto set up equ tions (1) using pi intexts in ifferent - imension 1 

sp es to etermine unknowns, owever this oes not 

in re se the require num er o hosen pi intexts y — times e use some 

pi intexts n e use repe te ly. h t is or n integer we n o t in 

ifferent - imension 1 ve tor sp es rom - imension 1 ve tor sp e. here ore 

1 we let e the sm llest s.t. — then the require num er o the 

hosen pi intexts is t most 2 • " . 

2 3 o par sowt aos us 

n this se tion we omp re the omplexity o our higher or er ifferent tt k 
with ko sen n Knu sen’s tt k 7 . he omin nt omplexity is setting up 
the system o line r equ tions i.e. omputing the oefff ients (see Iso e tion 
.3). or the se on n thir terms o equ tion (1) x 2 times the om- 
put tion o the roun un tion is nee e . or the first term o equ tion (1) t 
most ( 1) X 2 times the omput tion o the roun un tion is require . 

here ore the require omplexity is t most ( 1) x 2 • " . n the other 

h n the require omplexity or ko sen n Knu sen’s tt k 7 w s 2 7 

heorem 1 . in e n 12 the omplexity is re u e . 



he mily o the iphers onstru te using the esign pro e ure 1 re 

known s iphers n 1 es ri es th t they ppe r to h ve goo re- 

sist n e to ifferenti 1 rypt n lysis 5 line r rypt n lysis 15 n rel te -key 
rypt n lysis 



h r is noth r w y of omputing th o fh i nts of th t rms of gr • — 1 with 
1 ss ompl xity pp n ix 




igh r r r iff r nti 1 tt k of 



iph r 
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I 32 I 



o- — 




roun un tion 



iphers re se on the r mework o the eistel ipher. he roun 
un tion is spe ifie s ollows (see Iso ig.l.)- 32- it t h 1 is input to 

the un tion long with su key . hese two qu ntities re om ine using 
oper tion “ n the 32- it result is split into our - it pie es. h pie e is 

input to ifferent x32-ox( 2 3 n ).- oxes n 2 re 

om ine using oper tion “ ; the result is om ine with 3 using oper tion 

“ ; this se on result is om ine with using oper tion “ . he fin 1 32- it 

result is the output o the roun un tion. 

he esign pro e ure Hows wi e v riety o possi le roun un - 

tions - oxes n oper tions ( n ). s or - oxes 3 suggeste 

onstru ting the - oxes rom ent un tions. L ter on 6 with r n om - 

oxes w s propose . n our tt k we use the - oxes se on ent un tions 
propose or -12 . s or oper tions simple w y to efine the roun 

un tion is to spe i y th t 11 oper tions re s whi h is ition on ( 2 ) 
Ithough other oper tions m y e use inste . tu lly or ing to 1 some 
re in the hoi e o oper tion “ n on eiv ly give intrinsi immunity to 

ifferenti 1 n line r rypt n lysis, he immunity to higher or er ifferenti 1 
or hoi es o oper tions ( n ) will e is usse in e tion 5. 

s or the num er o roun s it seems th t the esign pro e ure 

oesn’t spe i y on rete num er. owever in 1 it is es ri e th t 

iphers possess num er o improvements omp re to in oth the roun 

un tion n the key s he ule whi h provi e goo ryptogr phi properties in 
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ewer roun th n . here re Iso sever 1 key s he ules or iphers 

ut or the purpose o our tt k the key s he ule m kes no ifferen e. 

a a a 

ooa oyo asoS oxs 

We egin y representing - oxes y oole n polynomi 1 un tions. We use 
the - oxes propose or -12 . he es ription o the - oxes is given y 

t les. ne w y to onstru t them n e seen in 19 . nother more efh ient 
metho using m trix tr ns orm tion is Iso known, he o t ine oole n 
polynomi Is o - oxes o upy lot o sp e n we show those o only some 
its o in ppen ix 

rom the o t ine oole n polynomi Is it is onfirme th t 11 the egrees 
o 11 output its o 11 - oxes re whi h oesn’t ontr i t the property o 
ent un tions the egree o ent un tion (2)^ (2) is t most . 

When the oper tions n re s 11 the egrees o 11 output its o 

the roun un tion re t most . We is uss the higher or er ifferenti 1 tt k 
o this ipher with 5 roun s. 

2 ar uat o s or R ov r t ast Rou y 

the right h 1 o pi intext is fixe t ny v lue the egree o the right h 1 o 
the -th roun ~ ( ) is t most 16 n the 16-th or er ifferenti 1 o ' ( ) 
e omes onst nt. here ore we n ompute it without knowing the true key 
n we h ve the ollowing tt k equ tions or re overing the 1 st roun key 

( ( )) * ( ) * ~ ( ) ( 2 ) 

where ' (2)32 (2)32 (2)32^ 

s we es ri e in e tion 2.2 sin e the tot 1 egree o is equ tion (2) 

h s egree 3 with respe t to 3 30 0 . t ollows th t equ tion (2) 

orms system o equ tions o egree 3 with 32 unknowns, ere ter we write 

3 30 0 or 3 30 0 01' simpli ity. 

ere we tr ns orm the system o equ tions o egree 3 to system o line r 
equ tions with unknowns, or e re sing the omplexity it is import nt to 

fin s sm 11 s possi le. n this p per we fin sm 11 y onsi ering the 
stru ture o the roun un tion o iphers. he output o roun un tion 

is the sum ( ) o the outputs o 2 3 n whose sets o input 

V ri les re isjoint i.e. the set o input v ri les o is 3 30 2 

th t o 2 is 23 22 th t o 3 is n th t o is 

^ or X mpl -128 is 12 or 16 roun ist 1 iph r 21 
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7 0 • onsequently 11 the terms in lu e in equ tion (2) re pro u ts 

o V ri les rom one o the sets ove. here ore equ tion (2) is tr ns orme to 

the system o line r equ tions elow with the ollowing unknown v ri les 

where 32 ( x 2) ( x 3) 36 . 



.0 .. . 0 0 2 .. 30 3 . . 020 ;. 2 30 3 . 

egree-1 32 egree-2 . . egree-3 . . 



0 



^ . 

0 I 0 

• • 

02. . 

• • 

• • ! 

30 3 • 3 

0 2 • 

0 3 • 

• 

2 30 3 



We nee equ tions to etermine the unknown v ri les. owever sin e 

n ~ re ve tor un tions ompose o ( 32) un tions only equ tions 

re o t ine rom equ tion ( 2 ). here ore we h ve to ompute equ tion ( 2 ) or 
( 36 32 12) ifferent . his oes not in re se the 

require num er o hosen pi intexts y s m ny s ( 12 ). e use we 

n t ke 7 ( 17) ifferent rom ^7 it only ou les the 

require num er o hosen pi intexts. 

n or er to set up the system o line r equ tions ove we ompute x 
oefff ient m trix es ri e elow where . We prep re x 

oeffi ient m trix e use x m trix is not Iw ys norm 1 . ur experiment 1 
results show th t 32 x 12 is enough to etermine the key. 

ow to ompute oefff ients n ( 2 ) in the m tri es is s ollows. 

ere we es ri e the omput tion o only the oefff ients o upper 32 rows, he 
rem ining oefff ients n e ompute using 11 ifferent in 

the s me w y. 
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0 0 0 
0 

3 0 3 



- 0 



o 

1 1 

» • • 


0 

• • 

• • 

• • 


• 

• 


0 


3-1 


• • 
. 3 . 


• 

• 

• 

• 


3 




1 0 1 


• 

• 






• • 

. 0 2. 
• • 


• 

• 

• 






• 30 3 • 


• 

• 

• 






• 0 2 • 


• 

• 






• 0 3 • 

• • 


• 

• 

• 

• 





2 30 3 



- 0 - - - 
11 oeffi ients n n e ompute y using 

( ( )) (3) 

where (0 ) is s ollows 

(0 32) 

(32 1 ) 

(1 ) 

(0 0 ) ( 2)32 ( ) 

where ” (0 1 0) (2)^^ n 0 2 3 31. 

Let ( 0 3 )• is ompute s ollows 

Let A ( 0 3 ) (0 ). lements o A re oefh ients 

o the unknown v ri le lo te t the -th row. When 0 32 A is 

olumn ve tor o oefh ients o . here ore A is ompute s ollows 

A 

When A is olumn ve tor o oefh ients o . . i.e. when 32 1 

A is ompute s ollows 

A 

When A is olumn ve tor o oefh ients o . . . i.e. when 1 

A n e ompute simil rly. We h ve nother metho with less omplexity 
in ppen ix 




igh r r r iff r nti 1 tt k of 



iph r 



27 



3 o p X ty 

his se tion is usses the require omplexity or our higher or er ifferenti 1 
tt k. ost o the exe ution time is spen in the ollowing pro e ures. 

omputing iphertexts higher or er ifferenti Is 
omputing 11 oefh ients in the system o line r equ tions 
solving the line r equ tions 

o put p rt xts r or r r t a 

n or er to ompute equ tion ( ) we h ve to prep re 12 sums o 2 iphertexts 

( output o 5-th roun ) n output o the -th roun . his n e one with 2 ^ 

iphertexts n output o the -th roun s expl ine in the previous se tion. 
here ore the require omplexity is 5 x 2 ^ times the omput tion o the roun 
un tion. Note th t we ssume th t working out the sum (i.e. ) is negligi le 

omp re with the omput tion o the roun un tion. 

o put a o ts t syst o ar uat o s 

11 oefh ients in the system o line r equ tions n e ompute y omputing 
equ tion (3) or (0 36 ). here ore the require omplexity is (36 

1) X 2 ^ times the omput tion o the roun un tion. his is the omin nt 
p rt o the higher or er ifferenti 1 tt k. in e in 7 ko sen n Knu sen 

es ri e th t the ver ge omplexity w s 2^ x 2 ^ our tt k h s hieve 

spee up y 2^^ times. 

So V t ar uat o s 

We use uss- or n’s elimin tion metho or solving the line r equ tions. 
he si e o m trix is x where 3 n 36 . he require 

omplexity is negligi le omp re with the omput tions ove. 

onsequently the tot 1 omplexity is (5 36 1) x 2 ^ 2^ times the 

omput tion o the roun un tion. he w y to re u e the omplexity y h 1 is 
in ppen ix 

xp r ta R su ts 

ur experiment 1 results showe th t the 11 1 st roun key its o the 
ipher with 5 roun s oul e re overe in 13.79 se on s ( ver ge time o 100 
tri Is) on unlJltr 2 works! tion (Ultr 200 ). le 1 shows n 

exe ution profile o the progr m pro ue y whi h is NU omm n 

to ispl y 11-gr ph profile t . 



n this e tion the immunity to higher or er ifferenti 1 tt k or hoi es o 
- oxes n oper tions ( n ) is is usse . 

e tion showe th t ipher with 5 roun s whi h uses - oxes 

propose or -12 n s or 11 oper tions ( n ) n e roken 




28 



hiho ori i k shi himoy m oshino u K n ko 



pro ur s 


tim 


r tio 


omputing iph rt xts high r or r iff r nti Is 


0 83 s 


60 


omputing 11 0 ffi i nts in th lin r qu tions 


12 92 s 


93 7 


solving th lin r qu tions 


00 s 


03 


tot 1 


13 79 s 


100 



a xe ution profile o the progr m 



y our higher or er ifferenti 1 tt k. in e the egrees o - oxes or 

12 re the ipher n e roken up to only 5-roun . owever i the 

egree o the roun un tion is lower the ipher oul e roken up to 

more num er o roun s. n 6 iphers with r n om - oxes re propose 

n we must e re ul o the egrees o the - oxes in su h ses. Note th t it 
is shown th t when r n omly gener te - oxes re use the resulting ipher 

is resist nt to oth ifferenti 1 n line r tt k in 13 . 

Let’s is uss or other hoi es o oper tions ( n ). ome mo ifi tions 

o oper tion “ re propose in 1 . ne ex mple is the insert o key- epen ent 
rot tion whi h is use in -12 i.e. ( ) ( 2 ) (( ) 

2 ) where is 32- it key 2 is 5- it key n is the rot tion spe ifie 
y 2 - only oper tion “ is exten e to n rot tion n “ “ n 

“ re still the ipher with 5 roun s o our t rget n e roken 

y our higher or er ifferenti 1 tt k though the omplexity in re ses (rough 
estim te is 2 °). 

here re some w ys to strengthen -like iphers g inst the higher 

or er ifferenti 1 tt k. ne is the in re se o the num er o roun s. nother 

is the mixture o using oper tions on ifferent groups (e.g. n ition 

(or su tr tion) mo ulo 2^^) or “ “ n “ . his m kes the egree higher 

so sh rply th t it seems ifh ult to rypt n ly e y the higher or er ifferenti 1 
tt k t this st ge. tu lly this i e is use in -12 n lowfish 17 . 

oreover lowfish uses key- epen ent - oxes. owever note th t these w ys 
re not sufR ient on itions to immune to the higher or er ifferenti 1 tt ks. 
ow to prove the se urity g inst higher or er ifferenti 1 tt ks is open. 



We woul like to th nk the re erees or m ny omments. We Iso th nk erge 
u en y or essenti 1 vi e whi h n improve our tt k ru e hneier n 
K um ro oki or help ul suggestions or improving the p per. 

R 

1 ms onstru ting ymm tri iph rs sing th sign ro - 

ur signs o s n ryptogr phy ol 12 No 3 Nov pp 283 316 Kluw r 
mi u lish rs 1997 
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2 ms h -128 n ryption Igorithm qu st for omm nts 

( ) 21 N twork orking roup nt rn t ngin ring sk or y 1997 

3 ms n V r s signing - ox s for iph rs r sist nt to iff r n- 

ti 1 rypt n lysis n ro ings of th 3r symposium on t t n rogr ss of 

s r h in ryptogr phy pp 181 190 1993 

ih m N w yp s of rypt n lyti tt ks sing It K ys v n s 

in ryptology 93 L tur Not s in omput r in 765 pp 398 

09 pring r- rl g 199 

5 ih m n h mir iff r nti 1 rypt n lysis of -lik ryptosyst ms 
ourn 1 of ryptology ol No 1 pp 3 72 pring r- rl g 1991 

6 ysn vrs nths urity of th n ryption Igorithm 

n in onf r n on 1 tri 1 n omput r ngin ring pp 332 335 199 

7 ko s n n L Knu s n h nt rpol tion tt k on lo k iph rs n 

r pro ings of st oftw r n ryption orkshop 97 pp 28 0 1997 

8 K n ko known-pl int xt tt k of L- s on th syst m of li- 

n r qu tions on iff r n ( xt n str t) v n s in ryptology 

91 L tur Not s in omput r in 739 pp 85 88 pring r- 

rl g 1993 

9 K n ko Known 1 int xt rypt n lyti tt k of L- (in p n s ) 

r ns ol 76- No 5 y pp 781 786 1993 

10 K Ki f r N w sign on pt for uil ing ur lo k iph rs n ro - 

ings of 96 pp 30 1 u lishing ous 1996 

11 L Knu s n run t n igh r r r iff r nti Is st oftw r 

n ryption on nt rn tion 1 orkshop L tur Not in omput r i n 
1008 pp 196 211 pring r- rl g 1995 

12 Li igh r r r riv tiv s n iff r nti 1 rypt n lysis ommuni tions 

n ryptogr phy pp 227 233 Kluw r mi u lish rs 199 

13 L ys vrs sist n of -Lik n ryption Igorithm 

to Lin r n iff r nti 1 rypt n lysis signs o s n ryptogr phy 

ol 12 No 3 Nov pp 267 282 Kluw r mi u lish rs 1997 

1 K Ny rg n L Knu s n rov 1 urity g inst iff r nti 1 tt k 

ourn 1 of ryptology ol 8 No 1 pp 27 37 pring r- rl g 1995 

15 tsui Lin r rypt n lysis tho for iph r v n s in 

ryptology 93 L tur Not s in omput r in 765 pp 386 

397 pring r- rl g 199 

16 i m n r n 1 n in n kn ss s of Non-sur tiv oun 

un tions signs o s n ryptogr phy ol 12 No 3 Nov pp 253 266 

Kluw r mi u lish rs 1997 

17 hn i r s ription of N w ri 1 -L ngth K y 6 - it lo k iph r 

( lowfish) st oftw r n ryption m ri g urity orkshop L tur 

Not in omput r i n 809 pp 191 20 pring r- rl g 199 

18 himoy m ori i n K n ko mproving th igh r r r iff r nti 1 

tt k n rypt n lysis of th iph r n r - ro ings of 1997 nfor- 

m tion urity orkshop pp 1 8 1997 (to pp r in L tur Not s in omput r 
i n pring r- rl g) 

19 himoy m m n ori i mprov st oftw r mpl m nt tion 

of lo k iph rs ( xt n str t) 97 i ing Nov 1997 L tur 

Not s in omput r i n 133 pp 269 273 pring r- rl g 1997 
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ue to limit tions o sp e we show the oole n polynomi Is o only its 
rom the le st signifi nt it o - ox o -12 . hose o 11 - oxes o 

-12 n e ownlo e rom 

We use omputer Ige r system is / sir to fin them. 
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n e tion .2 it is es ri e th t in or er to ompute 11 oeffi ients the 
omput tion o 

" ( ( )) (5) 

or ( 1) is require . owever there is nother metho o omputing the 

oeffi ients o the terms o egree 3 . . . with less omplexity. he point is 

the oefH ients o the terms o egree 3 ... is line r to the input o . Let 

(6) 

e term o egree 3 in equ tion (2). he egree o ... is 1 with respe t to 
the input o sin e the egree o is . here ore we h ve 

...() ^... B... (7) 

he oeffi. ient o (6) whi h is wh t we w nt is rewritten s ollows. 



...( ( 


)) 






. . ( ) B...) 
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• • 


• 






. 




( ) ■■■ B... 


0 ( ) 


ere we efine s 


• 




( ) rom equ tion (5) we h ve 




( ) 
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.( ) B 






he first n se on terms re 


ompute s ollows 
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1 0) (2)32 






(0 
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0) (2)32 






(0 


1 


0) 


(2)32 






(0 


0) 


(2)32 






he omplexity require 


or this metho is (12 


1) X ( 1) times the 


ompu- 



t tion o the roun un tion . When we use this metho the tot 1 omplexity 
is (5 1 1) X 2 ^ 13 X (36 1) 2^ times the omput tion o the roun 

un tion 




on opp smith vi gn u hn i n ohn Is y 

h copper@watson.ibm.com 
. . k 1 y daw@cs.berkeley.edu 
ount p n y t {schneier ,kelsey}@counterpane . com 
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non u j tivity o lin 
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in tion t p llo u to 


ov 


h 1 


th k y ith ini 1 


o t. 




xt ho th t th V ion 


yt 




in u i ntly ix y th 


1 


y 


n ling n tt k i il to tho on 


t 0 loop ig n iph 


to 




ov th in 0 th k y. 


O 


ining 


th t hniqu 1 t u 


ov 




th nti O k y. 




qui 


th g n to to p o u 


2" 




lo k (2‘‘ yt ) o 19 hou 


O 


th 0 


output 0 hi h X 


in 




out on illion lo k (2‘‘ 


yt 


) th 



o put tion 1 o klo n ti t t 2" op tion . noth 
t o tt k t o t xt o ti u ing th ount o kno n 

pi int xt n to ju t ight lo k (64 yt ) hil n ing 2‘ ‘ ti 
n 2‘ ‘ p . 1 o ho ho to k t o v i nt o O 

p nt in th o igin 1 p p . 



U 

h OP M st m iph 97 int o u t 97 us s 1- 

it k y to g n t 6 - it lo ks o output t h tim st p; th s output 
lo ks X lusiv -O onto th pi int xt to p o u iph t xt. t high 
1 V 1 OP M onsists o k y (non- i tiv ) yptog phi un tion 

with 6 - it inputs n 6 - it outputs whi h is us in ount -lik mo to 
g n t k yst m output. 

h Igo ithm h s t n 1 y s; th fi st 1 y is iv n y ount n th 

output o h 1 y om s th input to th n xt. xploit w kn ss s o 

two o th 1 y s to p o u s v 1 i nt tt ks g inst th s h m . Ou 

on lusion is th t th too w 1 y s o yptog phi st ngth. 

On o th m in ont i utions o th OP M wo k is th t th Igo ithm 

w s sign so th t on oul p ov t in st t m nts out th s u ity o th 
iph it h s high lin ompl xity goo y 1 1 ngth goo sist n to L 

synth sis tt ks n so on . on th 1 ss spit th p oo s o v ious s u ity 
p op ti s in this p p w show how to k OP M v y i ntly. 

ot th t it i po i 1 to p ov th t u ing ny lo k iph in ount o h goo 
lin o pi xity n goo y 1 1 ngth 1 1 t in th n th t 9 p ov 

o O ointoptth poo php not t i ly ning ul. 

u y t tw y t 7 

o 
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Ou tt ks 11 into two n tu 1 t go i s. h fi st th tt ks is uss 
in tions -7 ov h 1 o th k y (n m ly X , TC ). h s on t go y 
(s tions -9) in In s two t hni u s whi h i nti y th m in o th 

k y {K , it' ) on w v oun K ,K . 

h st o th p p is o g niz s ollows. n tion w vi w th 
OP M s h m . n tion 3 w giv som p limin y m ks whi h will 
us ul in th ypt n lysis. tion giv s v y sy tt k to ov hi 

o th k y s on th lin m p o 1 y 7 iling to su tiv . tion 5 

shows noth tt k th t u s th pi int xt ui m nts; th ost o this 

imp ov m nt is n in s in th mount o offlin omput tion ui 

tion 6 giv s mo ompli t tt k to ov K , K y king th p io 

o p p into two p io s o p n p sp tiv ly. h p o ilisti n lysis 

king up this tt k is m ntion in tion 7. n tion n 9 w finish 

with two tt ks whi h n us to ov th m in o th k y in mo 

mun n m nn . tion 10 is uss s som o th omput tion 1 ui m nts 

o h tt k. tion 11 n 1 is uss v i nts o th o igin 1 s h m n 
som tt ks on th s v i nts. on lusions s v o tion 1 . 

2 



h OP M s h m 97 us s 1 - it k y to g n t 6 - it lo ks 

o output t h tim st p; th s output lo ks x lusiv -O onto th 
pi int xt to p o u iph t xt. t high 1 v 1 OP M onsists o k y 

un tion Fk * e ”*■ * 6 ustom mo o using F to g n t k yst m 

output. 

h mo is som wh t simil to ount mo th input to F om s om 

two in p n nt 3 - it ount s. h ount is initi liz with k y- p n nt 

V lu n is st pp y ing pu li oust nt n th n u ing mo ulo 

pu li 3 - it p im . 

h k y onsisting o 16 yt s k , ,k is ivi into ou 3 - it p ts 

n m K , K , K n K with th onv ntion 

K = k + k + k ® + 

K = k + k + k ® + 

K = (k ,k ,k ,k ) 

K = {k ,k ,ke, /cy). 



h Igo ithm h s t n 1 y s whi h w will s i . h output o h 1 y 
om s th input o th su s u nt 1 y . ith on x ption h output 
onsists o ight yt s n so is n 1 m nt o * g. h s h m is pi t 

g phi lly in igu 1. 

h fi st 1 y involv s two pimsp= — 17np= — 5 n two 

fix pu li int g s a no. t tim st p f th output o th fi st 1 y is 

th two 3 - it int g s r = a t + K (mo p ) n r = a t + K (mo p ) . 

h is ok n into ou - it yt s yi 1 ing tot 1 o ight yt s output. 
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n th s on 1 y h yt x is pi y S (x) = (x mo 57) mo 
56 . t h pp ns th t S' is its own inv s S (S (a;)) = x. 

h thi 1 y involv s ition (mo 56) o th k y yt s onstituting K 
n K . 

h on th 1 y is “lin p mut tion i x , . . . , xr th inputs to this 
1 y th outputs 

7 

Vj = (^a;*) - Xj (mo 56). 

i 

his is int n to mix th yt s; how v s w sh 11 s it is too w k. h 
only int tion tw n th v ions yt s Xi is th ough th singl yt Xi 
(mo 56) n wh n th t yt is ont oil th mixing is in tiv . 

h fi th 1 y involv s ition (mo 56) o th k y yt s onstituting K 
n K . 

h sixth 1 y is non-lin xp nsion h yt a; is xp n to th 
on t n tion o on yt s S {x),S {x),S {x),S {x) wh th Si v ions 
nonlin p mut tions on * g- h output o this 1 y is 3 yt s. 

h s V nth 1 y ppli s lin omp ssion to u th s 3 yt s k 

to yt s; th t is fix pu li 3 m t ix 6 ^ m ps * g * g. pon 

input {X , ,X ) th lin t ns o m & p o u s th output {Y , . . . , I 7 ) = 

b{X , . . . ,X ) o ing to th u tion 

'r=X+X+X +X +Xe + X +x +x , 

Y = X +Xe + X +X +X 7 + X +X +X , 

Y = X X 7 Y X X Y X Y X Y X Q Y X , 
Y=XYXYXYX YX YX YX 7 YX , 

Y = X Q Y X Y X Q Y X Y X Y Xq Y X Y X , 

Y=XrYX YX 7 YX YX YX YX YX, 

Yg = X Y X Y X Y X Y X Y X Y X Y X , 

Yr = X YX YX YX YX Y X Y X 7 Y X . 

h ighth 1 y ppli s th p mut tion S to h yt . 
n th ninth 1 y yt s om K n K x lusiv -O into th yt s. 
h t nth oun onsists o x lusiv -O ing th s yt s (th output o th 

ninth oun ) onto th pi int xt to p o u th iph t xt o (in th so 

yption) onto th iph t xt to ov pi int xt. 

L t us not y x/ (0 i 7, 1 j 10) th tth yt o th output 

o th jth oun . ( o j = 6 w will How 0 i 31.) th tim st p t is 

impo t nt w will w it x/’* . h not tion x ^ will m n th whol -tupl o 

yt s x/ , 0 i 7 . 



u ing most o th oun s th v ions yt s m in s p t . u ing th fi st 
oun on yt s output om on 3 - it wo n on om noth . h 




36 on opp ith vi gn u hn i ohn 1 y 

ou th oun om in s yt s with lin m p ut ( s h s n m k ) this 
os w k o o mixing th m. 

h s V nth oun om in s pi s o th v ions yt s mu h mo tho - 
oughly ut only with lin t ns o m tion. Iso th s v nth oun li s los 
to th su whi hi ts us xploit th 1 k o i usion in th st o th iph . 

h sign s xpl in th t th int n 1 st u tu o OP M (i. . th 

un tion F) w s hos n to sist inv sion tt ks (wh on t i s to us th 

output o F to wo k kw s) . wo o ou tt ks su x tly us w 

n wo k kw s om th output o F. 

n t w us th non-inv ti ility o F to ou v nt g in tions -5. 

us F is not i tiv not 11 int m i t v lu s possi 1 . n p ti ul 
th om in tion o th sixth n s v nth 1 y s o ms non-su tiv un tion 

so not 11 6 - it V lu s tt in 1 s th output o th s v nth 1 y . u - 

th mo 1 y s -10 p n only on K , K n not on K ,K . h o w 

n isol t th t o K ,K n tt k th m st n ing Ion . L t w n 
p 1 o 1 y s -10 n us s p t t hni u s (s tions -9) to ov th 

m in o th k y {K ,K). 



h lin om in tion st p (1 y s v n) su s om th ollowing gul ity. 

not y r th -v to 1 , 1 , 1 , 1 , — 1 , — 1 , — 1 , — 1 . h m t ix bij o ys 

Fbij = 0 (mo 56) o 11 in i s j. his impli s th t 

7 

=0 (mo 56). ( ) 

i 

n us this in o m tion n w known outputs o th st m g n to 
to ov th h 1 o th k y (FT ,K). 
o h yt position t w h v 

= S {x, ) = S {x, h), 

lling th t F is its own inv s . o hi this giv s fix m pping om 

J 

Xj to Xj in p n nt o tim n o th oth yt s. 

not y yij th unknown u ntity 

Vij = S {j h) 

'j 

whi h woul th V lu o i = j. o h lo k o output o th 
st m iph ( t tim t) w o t in lin u tion 1 ting th s u ntiti s 

i i 



(mo 56). 
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t w o t in out 0 lo ks (16,3 yt s) o output w will h v 0 

lin u tions in th 0 unknowns yij 0 i 7, 0 j 55. us 

o homog n ity th s u tions will not in p n nt n o fix i w will 

ov Dij only up to n unknown multipli tiv to n n unknown itiv 
shi t 

yij = aiZij + (mo 56) (3) 

with Zij known ut ai,(3i unknown. 

ut this is 1 ly nough in o m tion to ov th unknown k y yt ki 
using w hun op tions otil-n- o.o h possi 1 v lu o ki 
ypt th o ou V lu s j = cCj into yij = S {j fci) n h k g inst (3). 

ho t ki will omp ti 1 with (3) n only w oth s; w mo 

t i 1 yptions shoul ul out th Is 1 ms. 

ving t min (fc , . . . , kr) = {K ,K)w still h v to fin iiT n K . 
his s ms to mo xp nsiv ( n 1 ss int sting). s w y o fin ing 
th m using out op tions n ust w known outputs o th st m 
iph . tions -9. 

h p s nt tt k o s ui out 0 lo ks (163 yt s) o st m 
output, hos known pi int xt ui m nts not on ous ut it is possi 1 to 

u th m V n u th with m t-in-th -mi 1 t hni u s whi h w is uss 
n xt. 



n this tt k w t k v nt g o th non-su tivity o 1 y s v n in 

i nt w y. t is ss nti lly m t-in-th -mi 1 tt k t king v nt g o 

un tt in 1 V lu s t th output o th s v nth 1 y . 

oughly sp king w gu ss {K , K ) n wo k kw s om lo k o 

known k yst m to fin th output o th s v nth 1 y using un tt in 1 

V lu s to ul out in o t gu ss s t {K ,K ). his woul t k ® tim to 

impl m nt s st t ; how v w h v n optimiz tion ( g in s on m t- 

in-th -mi 1 t hni u s) to u th ompl xity to 

s o w ly on th u i 1 o s v tion ( ). w t k som k yst m 
lo k a; th n inv ting 1 y s -9 shows th t Xj = S {x^ ki). Plugging 
into ( ) giv s us 1 tion th t th o t v lu o th k y k . ,kr must 
s tis y. 

o th tt k p o s s ollows. fin 

g{K ,y ,...,y ) = ^^3 {y^ h) (mo 56) 



n o itu tion ov ing ju t {K . , K . ) ight on iv ly u . t 11 thi 
giv u nough in o tion top ito kyt yt giv n ny v n yt 

o kyt lok np itth ighth unkno n yt ith t inty y 

u ing (2). o V n o u h tt . h 11 ov ing {K. ,K. ) in 

on ph qui it o ok ut it i till i 1 . 




3 on opp ith vi gn u hn i ohn 1 y 

7 

h{K ,y ,...,yr) = ^^8 {yi h) (mo 56). 



o t in ight known k yst m lo ks X - , 0 j 7 nit 

g-{K ) = {g{K ,x ’ ,...,x ’ ),...,g{K ,x ’’^ )) 

h~{K) = {g{K,x ' ,...,Xy’ ),...,g{K ,x , . . . , 

ot th t o th o t V In o {K ,K) w h v g~{K ) = h~{K ). 

t 11 this o t to m things in th 1 ngu g o m t-in-th -mi 1 

tt ks it shoul 1 how to ov {K , K ) with st n t hni u s. 
( th “mi 1 o th m t-in-th -mi 1 tt k will th 6 - it v In 

g~{K ) = h~{K ) i. . h t isti o th output o th s v nth 1 y .) 

i st o hgu ss tit" w omput g~{K ) n sto th p i {g%K ),K ) 

in h sh t 1 in x on th fi st oo in t o th p i . t num ting 11 

possi iliti s o K w will h v oust u t h sh t 1 o siz . h n 

0 h gu ss t it" w omput h~{K ) n look it up in th h sh t 1 . w 

fin m t h q~(K ) = h~(K ) th n with high p o ility w will h v o t in 

th o t V In s o ,itr ). 

n ight k yst m lo ks to nsu th t th t st will limin t n ly 

11 in o t V In s. On n ount th num o Is 1 ms y ounting th 

num o solutions a, 6 to ( 7 ”(a) = us S is highly non- lin w 
ustifi in xp ting th un tions 5 “/i“to h v oughly lik n om un tions 
oth om* 6“*'* 6- ining this h u isti with th i th y p ox 

w fin th t th p o ility o g n ting Is 1 m is 1 — e“ « 0.63 n 
th xp t num o Is 1 ms is 1. 

o i th intuition w n think o th p s nt tt k s pplying m t- 

in-th -mi 1 tt k splitting th iph fi st with ho izont 1 ut n 

th n splitting it g in with v ti 1 ut. 

h ho izont 1 ut is possi 1 us 1 y s v n ils to su tiv n it 
is n fi i 1 us 1 y s -10 only p n on h 1 o th k y. ( h is slight 

1 n though, n no m 1 m t-in-th -mi 1 tt k on omput sow 

p t-w y kw p t-w y n th n m ts in th mi 1 . n on tt k on 

OP M us 1 y s 6-7 il to su tiv w only n to omput 

kw s nth ow ptoth omput tion is su st nti lly simplifi .) 
h V ti 1 ut is m possi 1 y th lin ity o 1 y s v n (o mo 
p is ly th lin ity o ( )). th “mi 1 is th v In g%K ) = h~{K ). 

omput up th 1 t h 1 n up th ight hi n th n m t in th “mi 1 

o th output o th s V nth 1 y . his s on ppli tion o m t-in-th -mi 1 

t hni u s 1 ts us isol t th t o K om thtoTC nhn us 
th tt k s wo klo signifi ntly. 

n summ y w n ov {K , K ) with offlin wo k sp n 
out ight lo ks (6 yt s) o known k yst m. s w sh 11 s in tion 10 

th omput tion 1 ui m nts not un son 1 . 
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h p vious two tt ks oul voi (in hypoth ti 1 OP M 
su sso ) y using i nt lin t ns o m tion tly svn. ow v lop 
h noth tt k g inst th t v ntu lity. 

his tt k is simil to th tt ks on two-loop ig n iph s whi h n 

oun in ns in6 n u 70 . 

on it y tim st p t 1 t us onsi th outputs t on sp ifi tim 

st ps 



a = t 
b = t +p 
c = t +p 
d = t +p +p . 



n h n 



ount s 1 1 y 1 


y 


li with 


p io 


s p 


n p 


sp 


.a ,b 




,d 

= ^i > 


0 


i 


3 




,a ,c 




,d 

= Xi , 




i 


7, 




US th tions o 


su S 


u nt 1 y 


s 


tim 


-inv i 


nt 


,a ,b 




,d 

= : 


0 


i 


3 




,a ,c 




= ^i > 




i 


7. 





onsi th V nt * th t th ollowing two u tions oth hoi 







(mo 


56) 




7 


7 
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E-. " 
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(mo 


56). 




h u tion hoi s with p o 


ility out 


1/ 56 ( 0 


n omly hos 


st p t ) n th two in p n nt so th 


t V 


nt * 


hoi s with p 0 


out 1/65536. h n it os hoi 


w h V 








7 7 


7 


7 






\ ^ ,a \ ^ ,6 






(mo 56). 
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his in tu n impli s th t th outputs o 1 y 
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push 0 w to giv in 0 m tion on th 


outputs 0 
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6, a 6,6 

Xi =Xi , 


6,c 

x^ 


6,d 

= Xi , 


0 


i 15 














6, a 6,c 

=^i ^ 


6,& 

x^ 
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= x^ , 
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i 31 














6, a I 6,d 

Xi +x, = 


6,& 

x^ 


1 6,c 

+ Xi , 
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i 31, 
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us 


1 y 7 is lin (mo 
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w g t 


















7, a . 7,d 

Xi +Xi = 


7,6 

= Xi 


I 7,c 

+ Xi 


(mo 


56). 
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ki- h t is o h position 0 i 7 o h possi 1 v In o ki w t st 

wh th th V lu s o o t in om x^ using ki woul s tis y ( ) 

S {ki x^ ) + S {ki x^ '‘^ ) = S {kt Xj ) + S {ki ) (mo 56). (5) 

h on t n tion o possi 1 yt s (fc , fc , . . . , fcy) om this st p p s nts 
possi 1 s tting o {K ,K ) onsist nt with th v nt * h ving on t 

this tim st p t . will 11 this - yt s tting 

V nt * i o u th n th o t s tting o {k ,k , , kj) will p- 

s nt mong th s possi iliti s. it i not o u wmygtsv 1 Is 

1 ms. 

h i ulty is th t w o not know wh th v nt * o u o 

not. m y fin th t o on o th yt positions i th is no possi 1 s tting 
o ki s tis ying (5); in this s w know th t * i not on 1 1 n this s 

n is 

On st t gy will to t y out 330 000 i ntvlusot no h 
on th t h s t 1 st on possi 1 s tting o h o th ight yt s fci o 

th possi 1 V lu s o th -tupl {k , k , . . . , kr) = {K , K ) . h o t v lu 

shoul show up out fiv tim s mong th s put tiv k ys n in o t v lu s 
shoul show up 1 ss o t n. ving s t in th o t v lu o {K ,K)w 
will 1 to g t th k ys {K , K ) with 1 ss i ulty in tion . 



o ou n lysis it will us ul to know th ollowing two p o ility ist i u- 
tions. 

o yt s Xa,Xb,Xc,Xd p s nting Xj ,Xj ’ 1 t iV(xa, X&, Xc, Xd) 

th num o k y yt s fc th t woul s tis y (5) 

S {ki Xa) + S {ki Xd) = S {ki Xb) + S {ki Xc) (mo 56). (6) 

w nt to know th ist i ution P {n) = P {N{xa,Xb,Xc,Xd) = n) wh n th 
Xfi in p n nt n om v i Is. Iso w nt to know th ist i ution 
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P {n) = P {N{xa,Xb,Xc,Xd) = n) wh n th Xh known to is om v nt * 
th t is wh n th o t k y yt is known to s tis y (6). h two 1 t 
y P (n) = nP (n). h xp im nt 1 ist i utions giv n in th pp n ix. 

h fi st ist i ution is Imost Poisson with m n 1 P (n) = e~ jn with 

th not 1 X ptions. 

i st P ( 56) « / 56 = “ us with th t p o ility w ith h v 

{Xa = Xb n Xc = Xd) o {Xa = Xc n Xb = Xd) n in ith s 11 k y 
yt s fc will wo k. 

on P (1 ) « (1/ )/ 56 = “ ^ n simil ly P (6 ) « (5/ )/ 56 

P (3 ) « (13/ )/ 56 n P (16), P ( ) simil ly high, his h pp ns 
us o i iosyn si s o th p mut tion S . o x mpl in th s n = 1 

onsi th V nt th t Xa Xd = Xb Xc = 11111101 in in y n Xa n Xb 

g in th s on -low st it. his v nt h s p o ility (1/ 56) (1/ ) = “ 
h n this h pp ns o 11 1 k y yt s k is g ing with Xa in th s on - 

low st it w h V (/c Xa) + {k Xd) = 57. h n us S' (x) = x~ 

(mo 57) i a: = 0 w h v 

S (fc Xa) + S {k Xd) = S {k Xb) + S {k Xc) = 57 

o h o th s 1 V lu s o /c so th t N{xa,Xb,Xc,Xd) 1 . his impli s 

P (1 ) « “ ^. imil 1 ul tions o t in o n = 6 ,3 , 16, . 

hi it pp s xp im nt lly th t P (0) is littl high th n xp t 

0. 0 th th n 0.37; n P (1) is littl low . his m y It to th fi st 

two o s V tions. 

h s vi tions om th Poisson ist i ution p ti ul ly th 1 tiv high 

V lu s o P ( 56) n P (1 ) t mino nuis n o ou ypt n lysis. 

h n V nt * h s h pp n th ist i ution P (n) is 1 t to th num 

o t i 1 k y yt s fci th t woul s tis y (6) in h yt position i. h num 

o - yt k ys (A: ,/p is giv n y 



7 




i 



with xp t V lu out .3 « 1 0,000. his xp t v lu is so high us 
o th unusu lly 1 g v lu s o P ( 56) n P (1 ). 

h n V nt * h s not h pp n th ist i ution P (n) is 1 v nt n th 

xp t num o - yt k ys is 1. n t with p o ility out 1 — (1 — 

0. 0 ) « 0.9 t 1 st on o th V lu s N{x^ ,x^ ,x^ ,x^ '‘^ ) is z o so 

th t no - yt k ys v li ; with th ompl m nt y p o ility 0.016 11 

nonz o n th n th xp t num o k ys is 1/0.016 « 6 . 

o with 330 000 xp im nts th xp t num o - yt put tiv k ys is 

5 1 0, 000-1- (330, 000 — 5) 1 = 930,000. mong th s th o t k y shoul 

pp fiv tim s n shoul sy to t t; in o t k ys shoul pp 

t most on with possi 1 x ption o thos i ing om th o t k y in 
only on o two yt s. 




42 on opp ith vi gn u hn i ohn 1 y 

Ithough th m n num o put tiv k ys is i ly sm 11 th 

V i n is hug ; th st n vi tion x s 10 . his is us o th 

1 tiv ly high p o ility th t o giv n tim st p n giv n yt position 

N{xa, Xb, Xc, Xd) is ith 56 ol ;isv Isuhytsou tthsm tim 

st p this tim st p will yi 1 hug num o put tiv k ys. n this s n 

It n tiv t st u tu is 11 o . o x mpl i on tim st p h s two 
o mo su h yt positions 1 thtvnt*hspo lyou n 

u put tiv V lu s o th six o w k y yt s. O w oul 

simply list - yt put tiv k ys X n iiT s p t ly. 



ving t min K n K y th tt k in tion 6 w Iso know th 

h n ul o positions wh vnt*hso u ;w know s v 1 pi s wh 

= (mo 56). 

i i 

us o th 1 tion tw n ^ 2 ;^ w Iso h v 

(mo 56), 

i i 

wh n 

i i 

y num tion o possi iliti s w n fin 11 th possi 1 v lu s o th on- 

t n tion (x ,x ,x ,x ’“ ) n h n y ing p a (mo p ) th 

on t n tion (x , x ,x , x ’'^ ) whi h s tis y (7). his whittl s own 

th possi 1 V lu s o K om oil tion o to out / 56 = pos- 

si 1 V lu s. imil 1 ul tions u ou hoi o K to out possi 1 
V lu s. h o t V lu s n gott n y xh ustion. 



noth pp o h t ov ing (K , K ) is giv n h . ssum th t w h v 
p viously i ntifi {K , K ) using ny o th tt ks om tions -6. his 
tt k ui s only op tions sp n two known k yst m lo ks; 
th o it shoul V y st. 

us o th o m o th lin 1 tion in 1 y 7 w fin th t th sum x -I- 
X ^ — X ^ — xj (mo 56) p n s only on th ou yt s Xj = 1,3, 5, 7. 
s m t-in-th -mi 1 pp o h ui ing tim 56 = to is ov 11 
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th V lu s o th -tupl x^ ,i = 1,3, 5,7 th t oul 1 to giv n v lu 
o this sum. imil ly th sum x~^ + x'^ — x — x^ (mo 56) pus 

only on th ou yt s Xj , i = 0, , , 6. om in th s two lists with noth 

m t-in-th -mi 1 tt k n in tim w n ov th -tupl x_ om 

ny giv n V lu o th -tupl x_ . 

s tim to ypt on iph t xt k to 1 y 5. o h o th 
t i 1 su k ys itT omput o w to , 0 i 3 n kw om 1 y 5 
to Xj , 0 i 3. wh th th is yt sum x^ whi h woul n 1 
th lin p mut tion t 1 y to m p x^ , 0 i 3 to x^ , 0 i 3. 

xp t 56 t i 1 su k ys itT to p ss this t st. imil ly v lop 56 t i 1 su k ys 

K . y h o th suiting 65 536 p i s {K ,K ) on noth iph t xt to 

t min th o t p i . 

0 u u 

h fi st tt k shoul t k only w s on s to fin Wo K n K in lu ing 

g th ing t . 

h m t-in-th -mi 1 tt k ov ing {K ,K){s tion 5) ui s 

h sh t 1 lookups n out wo s o m mo y. w k p th nti 
t 1 in m mo y th t 1 lookups will t k only 00 s on s o so ( ssuming 

100ns ss tim to m in m mo y whi h is not un son 1 ). 

h sp ui m nts m y mo noti 1 . On simpl pp o h is 

to ist i ut th t 1 OSS lust o 56 wo kst tions h with 1 M 

o m mo y; su h lust woul t k oughly 00 s on s to fin {K ,K). 

noth simpl pp o hi only on wo kst tion is v il 1 is to t o 
tim o m mo y y splitting th t 1 oss tim on wo kst tion n finish 

in 56 00 « 10 s on s ( out on month) n n wo kst tions will finish 

n tim s s st th t. his is not out o h n th int st might 

1 to fin tt w ys to u m mo y n sox mpl th p 11 1 
ollision s h t hni u s o v n Oo s hot n in O 96 ( ppli to fin 
“gol n ollision ) look p omising. 

o th tt k s on i nti ying o u n so vnt*(s tions 6- ) 

w n th g n to to un o p -l-p « tim st ps g n ting ® yt s. 

t th V tis sp o 1 m g yt p s on this will t k out nin t n 

hou s. will look t only 1 000 000 m ss g lo ks ( 000 000 yt s) 330 000 

t th ginning ( p s nting a) noth 330 000 in th mi 1 ( p s nting 

oth h n c us p n p so los to h oth ) n noth 330 000 
t th n . o h s 1 tion (a, b, c, d) w might n to v lu t 56 = 0 
t i 1 k y yt s 0 ki 55, 0 i 7. ow v liz th t mu h o th tim 
w will fin th t o X mpl k y yt k h s no possi 1 v lu s so th t yt s 

k , . . . jky n not x min o this s . n tot 1 out 1 000 000 k y 

yt s n to 



X mm 




44 on opp ith vi gn u hn i ohn 1 y 



h s m p p 97 p opos s st v sion OP M -1 i ing 

om OP M only in th s v nth 1 y ; in OP M -1 this 1 y p - 
s V s h Iv s. h t is th output yt s , 0 i 3 only p n on th input 
yt s ,0 i 15 n th output yt s xj , i 7 only p n on 
th input yt s x^ ,16 i 31. his m ns th t th only int tion tw n 

th 1 t n ight hlvsoth mssg o us u ing th “lin p mut tion 

in th ou th 1 y n th th int tion is limit to th on yt x^ 
(mo 56). n two tim st ps wh this sum g s th h Iv s ompl t ly 
s p t . 

o w n X min th output t tim a = t n b = t +p . = 

cCj (mo 56) (i. . th s on o th two on itions o v nt * ) th n 

th 1 t-h n h 1 o th output o hly isthsm o a s o b 



j,a j,b 

6, a 6,fc 

=Xi , 



0 i 3, j = 6 

0 i 15. 



n p ti ul th 1 t-h n h Iv s o th outputs will g . y i nti ying ight 
p i s (a, b) wh th s output hlvsg w n u thvluoTiT s 
in th OP M s . imil omput tions giv us K . 

n th n us xh ustiv s h to omput K in out st ps. o 

X mpl i w gu ss th ou yt s p s nting (^J kj) — ki,0 i 3 n 

w know th V lu s o TsT n K w n fin th 1 t-h n hlo 11 ly sup 
th ough 1 y . n omp th n yptions o two un 1 t tim st ps 

s y a n e to s wh th 



.a ,e ,a . o 

Xi =x, x^ , 0 I 3. 

not th s ou yt s w ong. ut i th y u 1 w n us 1 y to 

u K giving us noth h k on ou o igin 1 ssumptions n u nishing 
us with th o t V lu o it" . h 1 ul tion o it! is 1 t to th 

n to un th g n to o m ss g s ( yt s) o t n hou s 

n X min out 56 = ,096 lo ks (3 76 yt s). h omput tion 1 

ui m nts o op tions not on ous n th int st might 

w 11 fin mo i nt m tho s to is ov K . 

noth pp o h is Iso V il 1 . n th fi st ph s o this tt k w ov 

{K ,K). h k y o s v tion is th t mo lling h h 1 o 1 y s 6-7 s 
n om un tion only out 1 — e~ o th possi 1 vluso th 1 thl 
o th output o th s V nth 1 y will tu lly tt in 1 . h o in th 
fi st ph s w gu ss it! omput up th 1 t si o th iph to th output 

o th s V nth 1 y n is gu ss s t if wh n th y p o u un tt in 1 
int m i t V lu s. us (1 — e“ ) < “ w s th t t out 50 

lo ks ( 00 yt s) o known pi int xt th will ust on v lu m ining 

n m ly th o t v lu o if . simil t hni u ov s if . 
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ow th s on ph s p o s s in tion 9. o h gu ss t if w 

omput o w own th 1 t si o th iph to th output o 1 y 3 n 

kw to th output o 1 y h king to s wh th th two omp ti- 
1 . xp t 56 V lu s o itr to m in n simil ly 56 v In s o if ; th s 
m ining ® possi iliti s n hk ytiln yption. 

n sho t this s on pp o h ks OP M -1 with out th s m 
tim n sp ompl xity s th o spon ing tt k on OP M . 

ui slightly mo known pi int xt ut 50 lo ks ( 00 yt s) o known pi int xt 
shoul ily V il 1 in m ny syst ms. 



2 

h s m p p 97 p opos s s h m O P M whi h i s om 

OP M only in th fi st 1 y inst o two pimsp np whv 

only on p im p = ® — 59 n fix multipli a. h output o th fi st 1 y 
t tim t is 

(x ,...,Xy ) = at + (K,K) (mo p). 

slight mo ifi tion n 1 s on tt k to un g inst this s h m s w 11. s 
on th V In a (whi h w s not sp ifi in th p p ) omput v In s Z\ n 

Z\ su h th t in th in y p s nt tion o aA (mo p) th 1 t-most 3 its 

0 (so th t th 1 t h 1 is 0 n th ight hi p s nts n int g sm 11 

th n ). imil ly in th in y p s nt tion o a A (mo p) th 1 tmost 

(high st o ) two its 0 n th ightmost 3 its 0. h Ai shoul 
out n n omput using m tho s om ontinu tions. 

h n i w si t tim st ps 

a = t 

b = t A 

c = t + A 

d — t A A 

w will fin with p o ility x ing (3/ ) > 0.56 th t th 1 t-h n h Iv s 
o th outputs o 1 y 1 g t tim son 6 swllst tim sen d; n 
th ight-h n h Iv s g t tim sane swllst tim s b n d. h 
st o th tt k p o s s o . 



n 


th g n to to un o som 


wh t long 


us 


A > p 


n 


w n to 


X min som on mo iph t 


xt us 


ou VO 


1 on 


itions 


only 0 u 


with p 0 ility 0.56 ut th 


tt k is still 


si 1 . 






noth 


pp 0 h is Iso V il 1 . 


n k 0 


P M 


with m 
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t hni u s. n t simply pplying th tt 
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imm i t ly ks O P M without ny mo ifi tions n . his s on 

pp o h ui s ight lo ks o known k yst m s w 11 s tim n 

sp . 




46 on opp ith vi gn u hn i ohn 1 y 

U 

t high 1 V 1 th intuition hin som o on ypt n lysis is th t w pply 

th m t-in-th -mi 1 tt k p t ly t two 1 v Is o st tion. i st w 

ivi th iph ho izont lly tw n 1 y s n m t t th “mi 1 th 

output o th s V nth 1 y t th high st 1 v 1 o st tion. on w 

ivi th iph V ti lly into 1 t n ight h Iv s n m t in th “mi 1 

wh th “mi 1 is h t isti o th output o th s v nth 1 y . 

om o th t hni u s .g. tions 6- o not 11 1 nly into this mo 1. 

will igno th m o th mom nt. 

ot th t th V ti 1 split n vi w s omposing th 6 - it un tion 

F into two p 11 1 3 - it un tions G,H. n oth wo s splitting F v ti lly 

o spon s to w iting F{a,b) = (G{a),F[{b)). O on s giv n su h p 11 1 

omposition w n pply ivi - n - on u tt k; sin king 3 - 

it un tion h s ompl xity t most su h omposition 1 ts us k 
in t most tim . 

o w on lu th t shoul sign to sist p 11 1 omposition 

n in p ti ul th shoul no p 11 1 G, th t pp oxim t F. his 

ust om s own to nsu ing th is pi nty o i usion w 11-known sign 

p in ipl o iph sign, his 1 k o i usion h Ip m k ou tt ks on 

OP M possi 1 . 

n Iso n lyz th ho izont 1 split in t ms o un tion 1 omposition. 
n this s w fin th t it o spon s to fin ing G, su h th t = i/ G 
(i. . F{a) = F[{G{a))). h n w n fin su h G,H wh G is non-su tiv 
n is i tiv th n m t-in-th -mi 1 tt ks m y How th ypt n lyst 
to isol t th t o G om th t o H. n oth wo s th ypt n lyst 

n o t n n lyz F[ without t king into ount th t o G (o th k y its 

th t nt G); on H h s n ok n th ypt n lyst n th n p 1 o th 
t o H (sin it is i tiv ) n tt k G Ion . h suit o su h ivi - 
n - on u tt k woul th t F is not mu h st ong th n th st ong st o 

Go H st n ing Ion . OP M put som o its st ngth into G n som 

into F[ with th suit th t mu h o its st ngth w s w st . tt woul 

h V n to on nt t 11 th st ngth in on o G o i/ n m k th oth 
s simpl s possi 1 to voi this pot nti 1 ng . 

how sugg st th ollowing sign p in ipl whi h s ms o ly 

ppli 1 to th oust u tion o non- i tiv yptog phi un tions om 

p o u t o oun s. On shoul voi int o u ing non-su tivity in th mi 1 

o th un tion us th t m y sp up m t-in-th -mi 1 tt ks n thus 

w st p ious yptog phi st ngth. 

ot th t th 1 tt sign p in ipl o s som intuitiv ustifi tion o 

th st u tu o m ny o to y s most su ss ul non- i tiv yptog phi 

un tions (su h s M 5 . . .). h vi s-M y oust u tion in 

uil s F s F{a) = G{a) a. 11 th st ngth is on nt t in i tiv 

un tion G (usu lly uilt out o lo k iph ) ; th non-su tivity is int o u 

sit s possi Ins simply s possi 1 . M 19 n n u M 90 

Iso ollow ou sugg st sign p in ipl th y too us i tiv un tion G t 




ypt n ly i o 



O 



4 



th o n int o u non-su tivity only t th n points ( y ing simpl 
un n y to th input o G n t un ting its output), 
his sign p in ipl is not nov 1. t h s n is uss in mo t il y 
P n 1 in th ont xt o th sign o omp ssion un tions o h sh un tions; 
s P 93 .g. tion . . 



u 

Pulling it 11 tog th w n i nti y th impo t nt tt ks g inst th st m 
iph OP M . i st w n k OP M with 0 lo ks o 
known k yst m n wo k y using th t hni u s o tions n 9. 

It n tiv ly w n g t y with only lo ks o known k yst m with 
p t us o m t-in-th -mi 1 tt ks ( tions 5 n 9); th ost is th t w 

n sp s w 11 s wo k. in lly w n ypt n lyz OP M 

with lo ks o known k yst m n out op tions y using th m th- 
o s om tions 6- ; this 1 st tt k us s no sp i 1 tu s o th omp ssion 
un tion in 1 y s v n (oth th n its lin ity). s th t o iph with 
1 - it k y OP M is is ppointingly w k. 

h V point out w kn ss s in two o th 1 y s in OP M . us 
OP M h s only nin 1 y s h 1 y li s los to th su n ny 

w kn ss is mo sily xploit . h syst m n s mo 1 y s to h v ny 
s ious yptog phi st ngth. 
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P (n) 
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o 
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JEROBOAM 



erve h nne nd mm nuel i hon^ 

SAGEM SA nite e e he he et eveloppement 
Systemes et Te min ux Se u ises n e 
chab£mne@urd32 . sagem . f r 
ole olyte hni ue 1 ise u n e 
michonOwww . enst . f r* * * 



einto ue new st st e m iphe JEROBOAM wo kin 

with key o 12 o 24 its. JEROBOAM w s esi ne to wo k with ei ht 

inte n 1 32- it e iste s lie multiply- with- y ene to s (mwc). 

These e iste e ve y e sy to implement in so tw e n p o u e 
se uen e o ex ellent st tisti 1 u lity. e ont one mwc is e sily 

ke y 1 tti e e u tion 1 o ithm. en e we e le to inte pose 
nonline filte etween these we k e iste s n the pseu o- n om 
output. 



he ipher JEROBOAM is designed to work effi iently on 16- it mi ropro essors 
he key is 128- or 248- it long whi h is nite omfort le; fter short setup 
e uiv lent in time to the en ryption of 42- yte mess ge JEROBOAM produ es 
pseudo-r ndom stre m one n use s symmetri ipher to XOR le rtext of 
ny length 

JEROBOAM w s designed with IDEA 8 11 s model t lies on 1 ssi 1 
s heme nd n e seen s nonline r om in tion of irregul rily lo ked pseudo- 
r ndom gener tors urrent te hni 1 re uirements ind us to use only oper - 
tions dire tly v il le on 11 mi ropro essors we use mwc s r ndom gener tors 
nd the nonline r Iter is o t ined y now 1 ssi 1 Item n e of -I- nd 2 
he mwc multiply-with- rry gener tors re new primitive in ryptogr phy 
due to rs gli 5 hey Ilow f st omput tions in different prime nite 
elds ; their des ription nd the w y they n e rypt n lysed n e found in 
Se t 2 

he omplete des ription of JEROBOAM is given in Se t 3 t is ompleted y 
slow C implement tion nd test v lues in Se t 7 

n Se t 4 we dis uss the st tisti 1 ev lu tion of the output stre m s 
pseudo-r ndom se uen e e study in Se t 5 the speed of JEROBOAM nd give 
mi ropro essor-independent ev lu tion 

* * * u ent ess ole tion le Supe leu e es Tele ommuni tions is n e. 
This wo k w s omplete u in te min 1 t inin pe io in SAGEM SA. The e e - 
en e ry r r JEROBOAM 4 is the omplete ull- o umente 

ve sion o this ti le. 

th nks to 10 o its pointe on the p k e DIEHARD ue to . s li . 
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a 
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u t 


p y t 


y (mwe 


t s 
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e a,b — 


1 0 - Co 


< a 


0 — xo < b e mwe 


e a 




e h 


e e e e 


e e 




(c. ,x. . - e e e e 
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c. 
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e e 


e ax. + c. b. 


(1 




X. 
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‘‘X. e (c. , X. 
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he division is just right shift if we let b e power of 2 n JEROBOAM 6 = 2® 
nd we let the rry c. e the MSBs nd x. the LSBs of 32- it word w his 
w y (1 e omes in re dy-to- ode form 



w = a(w Oxffff -|- w — 16 

where is the logi 1 AND nd — the right shift e return x. = w Oxffff 
e n st te the following result from 5 

pst 2 e e e e S = — X -0 — c < a,0 — X < b— e 

e e m = ab—1 e e e = m+1 e e e 

e f X. '■ ■ ■ X. S 

e e 

e ®0 ■“ 6—1 e e / k 

k e e b (TZijvnrTZ,— e e m~ m 

f we hoose m to e s fe prime ie oth m nd(m— 1/2 re prime we get 

two non trivi 1 or its for this gr ph 

he following result shows how to swit h from one or it to nother 

pst 3 e e g S ^ S ‘ x 6 — 

1-x e f 

Let ‘ x~= f{‘x de ned y the eu lide n division y 6 
bc~+ x~= ax + c, with 0 — x~— 6—1 



then 



o6 — 1 — (be + X = ah — 1 — ax — c 
b(a — 1 — c~ + (b — 1 — x~ = a(b — 1 — x -|-(a — 1 — c 



with 0 — 6— 1 — cc — 6—1 whi h me ns g —f —g = / so / —g = g —f 



his w y we n swit h from one-point or it to the other nd more interest- 
ing from (m —1/2 point or it to the other 
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t u t p s onsidering only s fe prime modules m = a2 ® — 1 
(0 < a < 2 ® le ve us the hoi e etween 392 v lues 

e would ppre i te to use every it in the 32- it word w so we impose the 
ondition 2 < a here re still 171 possi ilities left 

o expl in our n 1 hoi e let us onsider the following result whi h est 
lishes strong link etween mwc nd the well-known Lehmer gener tor X. = 

aX. modm 



p s t 

e 



e Xq = axo+co axo+co < m 



e e 



X. = aX. mod m 



e e n G N 



c. = X. mod a, x. 




e 



(2 



e axo + Co < m e e 

’■ xo = ‘~ b- 1 e f 

(2 is true for n = 0 Suppose it is true for n Let q,r e the uotient nd 
the rem inder of the eu lide n division of X. y b we get 



X. = bq + r ve 0 — r < 6 



ultiply y a it e omes 

aX. = abq + ar ve 0 — ar < ab 

we o t in this w y the eu lide n division of aX. y ab ne n Iso write 

aX. = (ab — 1 q + ar + q 

is this the eu lide n division of aX. y ab — 1? Let us he k th t 0 — or -|- <; < 
ab—1 

ifO — r — 6 — 2 given 0 — g — o — 1 one gets ar -I- g = a{h — 2 -|- a — 1 = 
a6— 1 — a<a6— 1 

if r = 6 — 1 we know then 0 — g — a — 2 il vient or -|- g = a{b — 1 -I- a — 2 = 
ab — 2 < ab — 1 

his w y X. = ar -I- g it is the rel tion st ted t the r nk n -I- 1 — 

Knuth de nes the spe tr 1 test in 3 his test is n ev lu tion of the u lity 

of the geometri rep rtition of the su essive t-uples {X. ,X. ,X. of 

Lehmer gener tor ; it is le r th t two gener tors of s me module m n h ve 

very different eh vior with different multipliers a 

S ishm n nd L oore 6 9 use this test to determine the est multi- 
pliers for given modules m = 2^ — 1 2^^ nd 2 
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e hoose the iggest eight a s tisfying the onditions m = a2 ® — 1 s fe 
prime 2 < a < 2 ® nd /r.3 > 0.02 (the gure of merit /i. nd v. re de ned 

in 3 p 101 

a a (hex) Vq ^2 Ms M M Me 

36594 8ef2 1339120837 54273 31023 3610 1148 1 75 0 0221 1 98 1 72 3 26 

36804 8f c4 1354534417 65869 29375 3287 771 1 76 0 0294 1 77 1 35 0 98 

37959 9447 1440885682 54529 29468 2782 667 1 82 0 0214 1 72 0 86 0 62 

38568 96a8 1487490625 75165 30978 2259 1017 1 85 0 0342 1 87 0 51 2 15 

40995 a023 1680590026 77923 25142 4287 1118 1 97 0 0339 1 16 2 36 2 69 

42153 a4a9 1776875410 81906 53845 1827 797 2 02 0 0355 5 18 0 27 0 95 

42903 al=a797 1840667410 65865 40036 1408 1258 2 06 0 0252 2 81 0 14 3 66 
43995 a3=abdb 1935560026 58906 54315 4903 930 2 11 0 0208 5 05 3 07 1 44 

47529 a5=b9a9 2259005842 68806 40203 690 686 2 28 0 0243 2 56 0 02 0 54 

51813 a7=ca65 2684586970 73230 39339 5164 1055 2 48 0 0244 2 25 2 97 1 79 
53130 a6=cf 8a 2822796901 75169 41931 4691 889 2 55 0 0248 2 49 2 28 1 04 

54564 a4=d524 2977230097 83097 39742 4283 1087 2 62 0 0281 2 18 1 77 1 86 

57225 a2=df 89 3274700626 74934 53947 7793 1223 2 74 0 0229 3 83 7 52 2 52 

61914 aO=f Ida 3833343397 88869 71443 4014 750 2 97 0 0273 6 21 1 32 0 54 

em rk th t the whole multipli tive ongruenti 1 gener tor is implied in the 
spe tr 1 test ; the its we use in JEROBOAM re in f t the most signi nt ones 

2 2 ypt ys s mwc 

e know th t the se uen e produ ed y multipli tive ongruenti 1 gener tor 
is predi ti le ore pre isely rieze st d K nn n L g ri s nd 

Sh mir 1 prove the following result 

pst e e k eee e e e e X. = 

aX. modm e e e 

s = 1 + log2 ^ log2 k 

e e e eeeeeeee {X. . _ 

e A. eee 

onsider the m trix^ 

m 0 0 • • • 0 

a -1 0 ••• 0 

0 -1 ••• 0 

a- 0 0 1 

et ile p 00 o mo e omplete esult n e oun in 1 . 
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we w nt to solve the system of modul r e u tions AX — C(modm where 
X = {x ,X 2 , ■ ■ ■ ,x. nd C = (0, 0, . . . , 0 re two olumn ve tors 

Let us onsider the 1 tti e formed y the rows of the m trix A nd redu e it 
y the LLL Igorithm his w y we get m trix B = PA with “sm 11” norm 
A. de ned s the iggest eu lide n norm of the rows of B 

he system n then e written BX — (^“(mod m f we hoose the ompo- 
nents of C~in the integer interv 1 —ml2,ml2 nd if we know in dv n e th t 
is sm 11 enough ie —BX—< m/2 we loose the modul r spe t nd we re 
le d to solve trivi 1 line r system BX = C“in Z 

Knowing some high order its X' of X Hows us to h nge the unknown 
nd su stitute X y the sm 11 unknown ve tor X — X' whi h le ds us to the 
situ tion ove — 

C implement tion of this proposition shows th t s is roughly n/fc for ig m nd 
th t Lehmer gener tor n e “ r ked” in few se onds y the o serv tion 
of few MSBs or more pre ise results see 4 



JEROBOAM 

he he rt of JEROBOAM onsists of eight 32- it mwc registers FIFO ueue of two 
16- it words nd p rti ul r 16- it word 



mwco,mwci,mwc 2 ,mwc 3 ,mwc 4 ,mwc 5 ,mwc 6 ,mwc 7 , queuei, queue 2 , lea for lea der . 



3 S tup y s t 

ne n hoose etween 248- it key nd 128- it key 



2 t y he key is given y eight 32- it words keyo keyi key 2 keys 
key 4 keys keys keyy he 32th it of e h word must e 0 nd none of these 
words n e 0 he initi 1 v lue of mwci is set to key^ 

queuei nd queue 2 re eive ny v lues (we hose 0xda37 0xc07f lea is 
initi lly the LSBs of mwco 

ke 21 y les^ of the Igorithm elow nd prep re to en rypt 



2 t y he key is given y eight 16- it words keyo keyi key 2 keys 
key 4 keys keys key/ he tth mwc re eives the 32- it word (i + 1 2 ^ + keyi 
ne n hoose ny of the 2 ^ possi le key even the zero one! he following is 
identi 1 

This is the fi st nk fc eyon whi h the p o ility (fc l)/2^ o outputtin one 
o the ueue o i in 1 setup v lues is less th n the uni o m p o ility 2 . 
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3 2 t y y 

1 onsider the its of lea 



15 


14 


13 


12 


11 


10 


9 


8 


7 


6 


5 


4 


3 


2 


1 


0 


swi2 


supO 


leaO 


chop 


inil 


sup2 


five 


f ifo 


ini2 


leal 


iniO 


supl 


lea2 


swiO 


cplt 


swil 



2 io is 4ini2 + 2inil + iniO 

3 f chop is 1 then 

cmb = mwcig — mwci„ + mwci„ 2 ^ n>wci„ 3 

else 

cmb = mwci„ + mwci„ — mwci„ 2 + niwci„ 3 

+ denotes the modul r ddition in ^/2 — the it-to- it XOR he 

ev In tion of these two non ommut tive non sso i tive oper tions is done 
from left to right 

4 f five is 1 dd mwci„ to cmb with the ppropri te Item ting oper- 

tion 

5 ffifoisl cmb enters the ueue nd is repl ed y the output of the ueue 

6 utput t w t s y s cmb XOR tw 

cmb t sp w t t xt 

7 dv n e 11 the mwc 

8 dv n e on e more the mwc indexed y 4sup2 + 2supl + supO 

9 Swit h the or it of the mwc indexed y 4swi2 + 2swil + swiO 

10 newlea is the mwc indexed y 4lea2 + 2leal + leaO 

11 f cplt is 1 it-to- it omplement newlea 

12 he new lea is newlea 

13 o to step 1 

cl cl cl cl 

e h ve used the st tisti 1 tests de ned y Knuth 3 to he k the r ndom 
eh vior of the output word of JEROBOAM 

hese empiri 1 tests re fre uen y test seri 1 test g p test poker test 
oupon olle tor’s test permut tion test run test m x-of-t test ollision test 
nd seri 1 orrel tion test 

e did not noti e ny signi nt i s every it of the output eh ves s 
oin-tossing experiment does independently from his neigh ours 

full ut uite oring ev lu tion of these st tisti s n e found in 4 

a 

e iphered 1, 2, . . . , 10 yte les with hundredth of se ond pre ise me sure 
on different s 
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l3 denotes the num er of 
output word 


lo ks ne ess ry to the o 


tention of one 16- it 


i ropro essor 


xploit tion system Speed ( yte/s /3 


entium 100 


indows 95 


0 73 


261 


entium 120 


indows 95 


0 88 


260 


entium 166 


indows 95 


1 21 


261 


entium 166 


indows N 4 


1 17 


270 


entium 200 


indows 95 


1 40 


272 


he C ompiler is i rosoft 


isu 1 C++ version 4 2 


using 


entium ode gener - 



tion 

Let us try to nd r pid estim tion of the ost of JEROBOAM y le on 
st nd rd entium ith the slowest ddressing mode on entium 7 



per tion 


per nd 


Size ( its 


u ntity 


y les 


unsigned multipli tion 


MUL 


16 16^32 


9 


11 


su str tion 


SUB 


32 


1 


2 


logi 1 nd 


AND 


16 


16 


2 


ddition 


ADD 


16 


11 75 


2 


right shift 


SHR 


16 


9 


2 


ex lusive or 


XOR 


16 


2 75 


2 


omplement 


NEC 


16 


0 5 


2 


ot 1 y le num er • 


181 



his is 30% less of the ove o serv tion ut it is still the s me ordre of m g- 
nitude 

omputing C for N z fre uen y mi ropro essor one n estim te the 

en iphering speed v in meg yte per se ond t 



e n lly note th t the speed of JEROBOAM strongly depends on the speed 
of the multipli tion of two unsigned 16- it words or inst n e experiments on 
n pro essor ring us to 25 % speeding up 



a a mwc 

e h ve seen th t mwc used lone is inse ure 

e would now like to insist on the f t th t given the se uen e formed y 
the sum in Z /2 of two mwc x. nd y. in two different nite elds TZIyiTZ 

nd 2Z j q'Zi we do not know how to re over the initi 1 terms xg nd yo 

he output of JEROBOAM is f r more tri ky n p rti ul r this output Iw ys 

implies third mwc with n XOR oper tion ie nother Ige r i stru ture 

e invite the re der to determine how to re over the init 1 ontent of two 

mwc given the LSBs of their sum then to in orpor te third mwc with — nd 

n lly r k JEROBOAM 
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C a a 

7 R utSwCp tt 

/* 16-bit stream cipher JEROBOAM 2.0 
Readable but slow C implementation */ 

#include <stdio.h> 

typedef unsigned short wl6 ; 
typedef unsigned long w32 ; 

static wl6 a [8] ={61914,42903,57225,43995,54564,47529,53130,51813}; 

static w32 mwc [8] ; 

static wl6 lea,queuel ,queue2 ; 

#define nsetupcycle 21 

void clockmwc(int i) 

{ mwc [i] = (w32) (wl6)mwc [i] *a [i] + (mwc [i] »16) ; } 
void switchmwc (int i) 

{ mwc[i]=((w32) (a[i]-l)<<16)+0xffff-(w32)mwc[i] ; } 

wl6 elemcycleO 

{ 

int f ive , chop , f if o , cplt ; 
int lea2 , leal , leaO ; 
int ini2 , inil , iniO ; 
int sup2,supl,sup0; 
int swi2 , swil , swiO ; 
wl6 newlea,cmb,save; 
int i0,i; 

swil=(lea&0x0001)?l :0; 
cplt=(lea&0x0002)?l:0; 
swi0=(lea&0x0004)?l :0; 

Iea2=(lea&0x0008)?l:0; 
supl=(lea&0x0010)?l :0; 
ini0=(lea&0x0020)?l:0; 
leal=(lea&0x0040)?l:0; 
ini2=(lea&0x0080)?l:0; 
fifo=(lea&0x0100)?l:0; 
f ive=(lea&0x0200)?l :0; 
sup2=(lea&0x0400)?l :0; 
inil=(lea&0x0800)?l : 0; 
chop=(lea&0xl000)?l :0; 

Iea0=(lea&0x2000)?l:0; 
sup0=(lea&0x4000)?l :0; 
swi2=(lea&0x8000)?l :0; 
newlea=mwc [4*lea2+2*leal+lea0] ; 
if (cplt) newlea=~newlea; 
i0=4*ini2+2*inil+ini0; 
cmb=mwc [iO] ; 
for (i=l ; i<=3+f ive ; i++) 

{ 
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if (chop) cmb=cmb''mwc [(iO+i)7o8] ; else cmb=cmb+mwc [(iO+i)7o8] ; 
chop= ! chop; 

} 

if (fifo) 

{ 

save=queuel ; 
queuel=queue2 ; 
queue2=cmb ; 
cmb=save ; 

} 

for (i=0; i<8; i++) clockmwc (i) ; 
clockmwc(4*sup2+2*supl+sup0) ; 
switchmwc (4*swi2+2*swil+swi0) ; 
lea=newlea; 
return cmb; 

} 

void cipher(unsigned char *msg,int sizeinwl6) 

{ 

wl6 *doublemsg; 
int compt ; 

doublemsg=(wl6*)msg ; /* ! pentium is little-endian */ 
for (compt=0; compt <sizeinwl6 ; compt++) 
doublemsg [compt] =doublemsg [compt] ''elemcycle () ; 

} 

void key248(w32 key0,w32 keyl,w32 key2,w32 key3, 
w32 key4,w32 key5,w32 key6,w32 key7) 

{ 

wl6 dumb [nsetupcycle] ; 

if (! (key0&&keyl&&key2Mkey3&&key4&&key5&&key6&&key7) ) 

{ printf ( "incorrect key: a 32-bit word is zero\n"); exit(l); } 
if ( (keyO | keyl | key2 | key3 | key4 | key5 | key6 | key7)&0x80000000) 

{ printf ( "incorrect key: a 32th bit is non-zero\n") ; exit(l); } 
mwc[0]=key0 ; mwc[l]=keyl ; mwc[2]=key2 ; mwc[3]=key3 ; 
mwc[4]=key4 ; mwc[5]=key5 ; mwc[6]=key6 ; mwc[7]=key7 ; 
lea=mwc [0] ; 
queue l=0xda37 ; 
queue2=0xc07f ; 

cipher ( (unsigned char*) dumb, nsetupcycle) ; 

} 

void keyl28(wl6 key0,wl6 keyl,wl6 key2,wl6 key3, 
wl6 key4,wl6 key5,wl6 key6,wl6 key7) 

{ 

key248 (OxOOOlOOOO+keyO , 0x00020000+key 1 , 0x00030000+key2 , 0x00040000+key3 , 

0x00050000+key4 , 0x00060000+key5 , 0x00070000+key6 , 0x00080000+key7 ) ; 

} 



he f st ut unre d le version essenti lly written with C prepro essor 
m ros will not e shown here t n e found in 4 
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e ve h nne mm nuel i hon 



7 2 s tw JEROBOAM 0 JEROBOAM 2 0 

JEROBOAM 1 0 is the ipher we study in 4 

his rti le presents n extended version JEROBOAM 2 0 here re three 
differen es 

JEROBOAM 1 0 does not support 248- it keys e h s just one 128- it key- 
insertion fun tion lied clef (...) nd 

JEROBOAM 1 0 clef (...) - JEROBOAM 2 0 key 128 (...). 

JEROBOAM 1 O’s chiffre(. . .) fun tion only iphers 1024 yte lo ks 

JEROBOAM 1 0 chiffre(. . .) - JEROBOAM 2 0 cipher!. . . ,512). 

he setup of JEROBOAM 2 0 is 21 y le long JEROBOAM 1 O’s setup is 512 y le 
long 



7 3 st us 

ere’s wh t we get with the following 248- it key if we en rypt the zero mess ge 

key248(7323aafc,01638ef6,20903ffa,7f8750d0,2275e0dl,36da83da,4fe33cca,38743eca) 
OOOO-OOOf : e4 e3 d8 12 06 36 20 73 00 2d cc 66 29 6b 4f 9d 
OOlO-OOlf : ca 6e 48 a2 a2 be 9e 61 bl fl f9 Od 25 Ob 06 66 
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not n int g multipl o 6 - it ummy 32- it wo houl p -p n to 

0 o p op ly ligning { 2 } th ough { e} to 6 - it oun i . u 

houl 1 o 6 - it lign . 

o^nyn pom i ntly with wo iz up to 32- it whil 

7T p i lly VO 32- it hit tu . n n oth pom 

1 ntly with wo iz up to 6 - it . n th ollowing n ly i w on nt t 

on ’ p omn on 32- it p o o . 
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in t u tion ount th w ighting ing th num o yl oltny oit 
with h typ o in t u tion. 



o in t n on mo t p o o th ult o impl op tion lik n 
ition o n u in th u u nt y 1 - th in t u tion 

i to h V on y 1 1 t n y. n mo n high p omn po o it 

i 1 o ommon o hi t n ot t to ingl - y 1 in t u tion . ow v 
ing om m mo ytk v lyl.vn wh n th t i in th ’ 

lo 1 h it ommonly u two oth ylltnyon mo n ply 

pip lin p o o . 

t t y X mining th o tw iti Ip th th ough . o hoy 
7T 0 n 11 V nt n 32- it wo o to e n in p in ipl up t 

in p 11 1. h o tw iti 1 p th th ough th on outin i tot 1 o 
yl (3yl 07 lylo 7 r 2 yl o6*nlylo ) 11 

o pon ing to ingl - y 1 in t u tion . 

ny p o o h V nough gi t to hoi t t in it nti ty o 

th t wh n n ypting o h hing long lo k o t w n not k p ing 

ny o 0 th ough g om m mo y. ow v u i too 1 g to gi t 
n i mo t i ntly impl m nt fix i ul - u in m mo y 

with moving point u to t th pp no hi t- gi t . 

Not ly in th to not t - p n nt (i. . not t 1 -look- 

up ) 11 1 ul tion n on w 11 in v n n o not ont i ut 

to th o tw iti 1 p th. 1 o in th t g whi h v 1 

t g 1 y om tho th t w itt n th - t n in p in ipl 

t h on o mo up t y 1 h o tim om whi h it om 1 

th t up ting th u i not on th o tw iti 1 p th. 

now xplo th num o 32- it in t u tion n o h it tion 

o u h n ull. t t i ully h 1 in gi t n th ot tion mount in 
7T 11 h - o th n nt il tot 1 o 16 ( om u t g n 

16 o ull o input n u tgl6o uh)nlx logi 1 op tion 

( tu lly on 1 th n thi u th z o- ot tion n not p o m ). 
p ting u involv 16 ( u t g 2 n 31) 16 op- 
tion nl6wit (u tg On 25) plu num o op tion to 

up t th point to th t g in o to imul t hi t gi t . 

minimum th involv n in m nt n m k op tion p point . ing 

om t g 31 n w iting to t g 0 1 k only on point lik wi o t g 2 

n 25 u o th w y th i ul - u i u to mul t hi t- gi t . 

on u ntly th ou point to up t o ull it tion n 

th o u h. h m king op tion impl m nt i ul ithm ti on th 
point - onv ni n i ing om th u iz ing pow o two. 
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o h ull it tion pplying th iph output to th t t m in- 
volv om th pi int xt u op tion n w it to th 

iph t xt u plu t 1 t on ition 1 in t u tion to up t point to 

th u . h it tion iph 32 yt o t . 

nth ouhwhvl y ount o ing th input un 
ou i u ion o o 11 th t i 1 t i up ting th point to th input t . 

hu igno ing o th mom nt th w xt in t u tion n y o m in- 

t ining th loop w h v wo klo o 1 9 in t u tion o h it tion o u h 

n 215 in t u tion o h ull. hi i uiv 1 nt to out 5.9 in t u tion 

p yt h h o 6 . in t u tion p yt n iph 

n tim t o how m ny ully pip lin x ution unit th Igo ithm might 

u ully xploit n o t in y ivi ing th tot 1 num o op tion p 

it tion y th num o y 1 in th iti 1 p th. hi num i lly houl 

no 1 th n th num op 11 1 x ution p th in th t g t p o o 

o th t no ou 1 t i 1 . 

o thi wo k out to 1 9 o 215 in t u tion p it tion ivi y 

y 1 p it tion om whi h w tim t th t th h hing n n yption 

mo might on ly xploit p o o with up to 2 n 31 p 11 1 32- it 

t p th p tiv ly. 



h g n ou mount op 11 li m in In it 1 n tu lly to 

i nt impl m nt tion on p o o p 1 o high g o in t u tion- 

1 V 1 p 11 li m. o mon t t th imp iv th oughput hi v 1 in u h 
highly optimiz impl m nt tion w v lop o th hilip i i 
-1000 po o.h i ipo oi y Long n t u tion o 

( L ) ont ining fiv 32- it pip lin x ution unit h ing ommon 

t o 12 32- it gi t . 11 fiv x ution unit n p o m ithm ti n 

logi 1 op tion ut lo to n hi t h uppo t y only two o 

th m. h two X ution unit th t uppo t hi t i tin t om th two th t 

uppo t lo n to . iv n n pp op i t in t u tion mix th p o o 

n i u up to fiv in t u tion p lo k y 1 . 

h op tion in n i ntly xp in - o x pt o 

th itwi ot tion . h optimiz impl m nt tion w w itt n ompl t ly in 
- o X pt o o ting to li y 11 to th p o o ’ n tiv 32- it 

ot t in t u tion. 

in th p 11 li m p nt in th Igo ithm i v tly mo th n i 

V il 1 in th i i w woul hop to 1 to ompl t ly tu t 

thpo o i. .hvvy wv ntintu tion lot . ow v th my 
oth ou on t int th t p v nt thi . o in t n tt 11 o th int n iv 
u o ot t in t u tion o whi h th i i n only i u two p 

y 1 . illing th oth th in t u tion lot on h y 1 ui ov 1 pping 

th X ution o tt with th t o 7 n /o 0. o th n hm k impl m nt tion 

h o th outin w xp ully un oil in-lin o 1 ving th 
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i i - ompil to ogniz n xploit th How 1 ov 1 p tw n 7 

7 T n 0 . 

h loop o it ting nil mo ompil into 23 i i m ly 
in t u tion .hi n tw n thi n th 215 in t u tion p viou ly 
ount om om th in t u tion o m int ining th loop n om om 

ition 1 ov h involv in th point up t o i t with m king th 
i ul u pp n L . h h ul o w tightly p k y 

th ompil into in t u tion-i u y 1 i. . u t in .9 in t u tion 

p ylw hul oiu out o th o ti 1 m ximum o 5. hi i n 

unu u lly high utiliz tion o th i i v n omp to it i n y 

on m i -p o ing t k o whi h it w ign 

ompil o o u h how omp 1 ov h no n ity. 

h optimiz - o w n hm k on 100 z i i p o o 

y n ypting o h hing 12 K yt t u . hoo thi u iz 
V 1 tim 1 g th n th on- hip t ho to m k th po t p - 

o m n p nt tiv o th u t in 1 n yption o h hing p o m n 

to xt n 1 m mo y in thi omp i o yn h onou . t th 1 v 1 

op omn hiv y xtnlm mo y n wi th n om 

ignifi nt to in th ov Up omn. o th n yption n hm k 

th t u w n ypt in-pl o to minimiz th p omn lo 
i ing om m mo y . No o - hip h w p nt (th im i hip 

o not tu lly uppo to- hip h ). 

n n yption th oughput o . it p ylw hi v uiv 1 nt to 
1 . y 1 p yt o 0 p on 100 z p o o . hi in lu 11 loop- 

ov h n y 1 lo t to h mi m mo y t . hi i un om- 

monly t mong t m iph . o omp i on two oth knowl g t 
o tw iph 12 n L 11 po t p 1 o 10.6 y 1 

p yt n 3.5 yip yto5 pn 230 p p tiv ly wh n 
n hm k un th m on ition 3. i lo lightly t on 
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11 li m p nt in th Igo ithm n tt i ut th t n w 11 xploit y 
L po ouh th i i. o ingly it houl not th t 

’ vntg my imini h wh n unning on p o o h ving 1 

in t u tion -1 v 1 p 11 li m th n th po t h 

nth i ipo o hiv h hing th oughput o 5. 1 it 

p y 1 uiv 1 nt to 1.6 yip yt o 510 p on 100 z vi . 

not w opulih p omn figu o impl m nt tion o oth 

u ntly popul h h un tion on th i ipo o g in t whi h to 



i tly omp ’ p . till impl omp i on how th t th 

p - yt wo klo o i imil to th t o 9 th t t m m 
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long. n hm k o th popul h h h v n pu li h o th nt 1 

ntium p o o in 2 om whi h w n m k omp i on to 

o m n o n optimiz - o impl m nt tion o on 

200 z ntium o (u ing li y un tion o ot t ) w m u t 

19 p o iph ing n 21 p o h king i. . th oughput o 0.99 it 

p y 1 o iph ing n 1.0 it p y 1 oh hing. hi omp to 

h hing p po t in 2 o -In -160 o 0.2 it p y 1 
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ut V n without u h imp ov m nt it how out 2x p v nt g ov 

m ly o V ion o th oth h h . 

in th ntium o n in p in ipl i u two ithm ti o logi 1 in- 
t u tion p y 1 omp to fiv o th i i hip on m y won 

why th th oughput p ylo onth ntium o i ly on 

li th th t hi V on th -1000. np tth oni tht ’ 1 g 

t t nnot m int in in th m 11 gi t to th ’x 6 hit tu 
with th ult th t o o th ntium o ui m iv ly mo lo n 
to in t u tion th n ui o th i i o o th t m tt oth 

p o o with g n ou ompl m nt o gi t . in oth -1 
n -160 u t nti lly unh mp y th limit gi t to 

th ’x 6 hit tu w woul xp t ’ v nt g ov th m to 11 

th g t on p o o not h ving thi limit tion. 

n on i ing ’ uit ility to n ppli tion it houl o n in 

min th t th p o m n figu po t o 1 g lo k iz . h n h h- 

ing m 11 lo k o n ypting with u nt k y h ng o yn h oniz tion 
th ov h o th omp nying 32 1 nk ull it tion m y ignifi ntly im- 
ptthp omn. kyhngo ynh oniz tion t k out long 
n ypting 1000 yt . imil ly h h h lo k h fix ov h uiv- 

1 nt to h hing out 1000 yt . 



h V p nt n w yptog phi mo ul p 1 o yptog phi h hing 
n t m n yption uit o ppli tion wh 1 g mount o t mu t 

p ot t . t h n hown th t th inh nt p 11 li m How xt m ly 

t o tw impl m nt tion on L p o o . 
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i .K. 1 pp 

i ur 1 orpor ion 100 inn m n . n ov r 01 10 
craigcSpictel . com 

xplor pro 1 m of igning r m ip r i 

f in of w r y m y i n ly impl m n in r w r . ow 

k y r m g n r or nil wor wi non lin r f k if 

r gi r n o r o ig gr of p r 11 li m n r w r 

impli i y n fl xi 1 uri y of n i r ign. K i 

own o n X mpl of i opology. mo i non lin r mix 

ing fun ion i propo for K w i m k i r ui 

0 r w r impl m n ion. ig gr of p r 11 li m How 

1 n impl m n ion on pro or ving in ru ion 1 v 1 p r 11 li m 

n 1 n ur lly o ig p pip lin r w r impl m n ion . 

r omm n v ri n run 40 p on 2 z n ium 

n 2 0 p on 100 z ri i L w il 2000 g 

r w r impl m n ion of m ip r i v 200 p from 

50 z lo k. ig r p v ri n i v 00 p 40 p n 
400 p r p iv ly wi om lo of uri y w il n ing lig ly 

1 r w r . 

t U t 

h fi t t o tw n yption o k hop in m 1993 on ht p - 
h p o th fi t tim ni jo o u to th topi o iph i n o o t- 

w y t m . h n w om o y thi om in h v 1 

to m ny V nu o h th t woul p viou ly not h v n on i 

in th n num on iph h v n p opo o o tw impl m nt tion 
ut o tho th t h V th hi h t th on hput in o tw non i p i lly 

w 11 nit to h w impl m nt tion. ypi lly th y u 1 t 1 

L lowfi h 9 K 10 n it iv tiv 3 o h v 1 int n 1 
tt 

n om ppli tion th i n o hi h p iph th t n 
i ntly impl m nt in oth h w n o tw . n x mpl om om 

th t n to nip on um 1 t oni nt t inm nt vi with hi h- p 

i it 1 int onn tion . 

i h- p i it 1 int not ly -139 xp t to pp 

oon on i it 1 vi o i ( ) pl y n i it 1 t 1 vi ion t n th y 

h V 1 y pp in p on 1 omput . n pon to th nt t inm nt 
in u t y’ on n to p ot t th i ont nt om un utho iz opyin whil 

u 3 2 
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in t n mitt i it lly tw n on um 1 t oni vi it h n 

p opo to n ypt u h onn tion wh n v th y y opy i ht t . 

n on um 1 t oni vi who wo klo o not ju ti y hi h p - 
omnpo o uh plytht imply p th omp 

t om th i to th xt n 1 i it 1 int n yptin it Ion th w y 

it i p to impl m nt th n yption in h w 

h n omp i it 1 vi o ont nt i -pi y on p on 1 omput 

th omput tion lly int n iv t k o vi o omp ion 1 y i t t th 

p n o hi h-p o m n typi lly on with hit tu 1 optimiz - 

tion o m i -p o in . iv n it p n it i n tu 1 to k it to 1 o um 
th t k o yption. i it 1 1 1 vi ion will in in ly u m m i - 

po o oth mtk o inyonth ilo oni tion. 

hp omn uimntoth om ntion ppli tion motiv t 
on int p t tion o hi h p ’ n i nt h w ’. h on um 1 - 

t oni in u t y’ o 1 o thi ppli tion u t to th ou hput in o tw 

in X o two it p y 1 on n 1 pu po omput n h w 
impl m nt tion in 1000 to 2000 t . 

know o no po t iph th t imult n ou ly hi v th o 1 . 

2 t t z t t 

nti ip t th t th twin o 1 o t o tw impl m nt tion n onomi 1 

h w not mutu lly x lu iv mi ht on lu om th 1 k o 

iph h in oth h t i ti . th w u p t th on o th 1 k 

o 00 X mpl i th t th h n pol iz tion o i n philo ophi to 

VO on o oth o th nvi onm nt in th xt m . u t t y i to in 

iph whil jointly optimizin o th p tiv on t int i in om oth 

h w n o tw impl m nt tion . 

y p ntin thi wo k w hop to timul t u th wo k in jointly opti- 
mizin iph o oth h w n o tw . 

d b d 

u o 1 i to fin topolo y th t un t hi h p in o tw whil in 

V y i nt in h w . o ov w woul i lly lik it to un i ntly not 
only on 1 y hit tu u h th ’x 6 ut 1 o to t k ull v nt o 
th u t nti 1 in t u tion-1 v 1 p 11 li m p nt in mo v n p o o 
u h nt 1’ ntium n m i -p o o u h hilip ’ i i hip. 

h i o low t - ount t n to i t t iph with n i nt 
it tiv impl m nt tion n 1 tiv ly littl t t . lo k iph u h 

typi yuh ttyutthiit t intn too littl p 11 li m 

th t mi ht xploit in o tw impl m nt tion. 

in V n to y’ multim i -optimiz po o plopo m- 

in ou o fiv 32- it op tion p y 1 (o 12 to 160 it-op tion p 




oil! r w r of w r ign of r m ip r 

y 1 u 1 in V i ty o wo -1 n th ) it i hi hly i 1 o multim i - 
optimiz iph to p 1 o xploitin t 1 t thi mu h in t u tion-1 v 1 
p 11 li m. hi t n to i t t th t u h iph h v 1 1 t 12 to 160 it 
o t t whi h o it 1 woul on um u t nti 1 p opo tion o on 1000 to 
2000 t h w u t. 



d d 

ny h w o i nt t m iph in th lit tu hi t- i t 

ow V h t i ti lly th un v y in i ntly in o tw in p o 

o op t on wo whil th h w o i nt iph ly h vily on 
in ivi u 1 it op tion . 

n w y o utilizin th pow o wo -o i nt p o o i to t t it 
wo n- it V to n impl m nt n in p n nt opi o th iph on 

in h it-1 n hion. v i tion on thi th m i to How om 

mil int tion tw n th it 1 n u h y pi in it-wi ition 

o wo (i. . X In iv - ) y ul ition o wo th y onv tin n 

in p n nt hi t it into n itiv o 1 i on i n to 5 . 

u h wo -wi n to n th n u in om in tion mo 1 t 
th VO topolo i o om inin it- i 1 hi t it . x mpl o thi 

tty n ninih2 whi hi o tw n n itiv n to 

n n on u nt h inkin n to 6 n ik 1 whi hi t io o itiv 

n to who it-wi om in tion topolo y i p tt n t 5 

ommon to th x mpl i th t th in in o tw p om t th 

xp n o o pon in in in iph t t . on u ntly th iv - 

tiv no Ion i nt in h w . o in t n 32- it impl m nt tion 

o ihh 32 itott whil ik h 5 0 y om th w t n o 

it o th i h w o i nt p ototyp . 

n int tin u tion i wh th y p ovi in mu h t on n non-lin 

int tion tw n th it o th wo ( oppo to th mil int tion in 

n itiv n to ) it i po i 1 to hi v u ul u ity with m ti lly 

w it t .nuh w nno Ion xp t th u ity to 

t li h om om un lyin in 1 - it hi t- it iph mo 1. 



kin t o tw iph on t tin point 

fin w y to u th i h w ompl xity. in 
h w i omin t y look-up-t 1 no viou 
up-t 1 mi ht u in iz without ipplin 

ppli 1 to it t lo k iph mi ht to in 
to omp n t o ny lo o t n th i in om 
th no lo k iph t th p w 

whi hoth ttvillt m iph 



n tu 1 in lin tion i to 
o m ny u h i n th 
u tion i how u h look- 
th iph . n pp o h 
th num o oun 
u t 1 . ow V 
k to hi V 1 vin u to on i 
mi ht mo ifi to fit on n 



t t m iph o not typi lly h v t u tu th t uppo t in 
mntlt -oop vu u ity. ount x mpl om om th 
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iv tiv o K i in 3 . h iph h v on p m t th 

tot 1 num o mixin /it t . n in th num o t in 
th u ity. n o tun t ly it 1 o in th tot 1 mount o t t o i t 

with th iph ultin in n ition Ih w u nthtw woul th 
not in u . 



3 0 0 

n 10 hi int on th iph K . t u mixin un tion 
th t om in two 32- it input into on 32- it output with th i o k y- 
p n nt 256 32- it look-up-t 1 T. h p ti ul on t u tion o T m k 

th mixin un tion inv ti 1 in th n th t knowl o th output wo 

n on o th two input wo i u i nt to uni u ly p i y th oth input 

wo . 

K on i t o in ou o th mixin un tion h vin i t 

k oun h on n ov 11 k oun th oup. ou t 

ho n th minimum num n o ompl t i u ion ut mo t 

n i i o ition 1 u ity. 

o i in lly p opo K op t with iph - k into th t t 

m hin 1 in to th pot nti 1 o ho n pi int xt tt k not y h 1 

in 10 . n ition to it u in iph - k mo hi 1 o u t 

K uit 1 o th p o u tion o p u o- n om u n o u 

thkyt mo t m iph . y h n in th t t m hin om 

iph - k to output- k mo th pot nti 1 u pti ility to ho n- 

pl int xt tt k i limin t . hi mo to in 3 K - i 

hown in i . 1 . n th i m 11 it n i n 1 p th w- it wi 
with w 32 o i n y on 32- it p o o . hi topolo y in onjun tion 
with th inv ti ility o th mixin un tion ult in v i 1 n to . 

n 3 it w hown th t y unnin th k y t m n to in v 
th ol in in omput tion Ip 11 li m oul hi v ultin in 

V y hi h th ou hput on p o o hit tu h vin in t u tion-1 v 1 p 1- 

1 li m whil 1 imin i nti 1 u ity to th non- v v ion. 11 thi 

o m K - 



o o t t 

hil not oiinllypoty uhw n - w K- n uiv- 

1 nt wo -wi hi t it. hi i hown in i . 1 in with 11 i t 
n i n 1 p th in w- it wi . n thi o m th hi t it mu t t pp 
ou tim to p o u th n w output th t th p 11 1 t t m hin o i . 1 
p o u in ju t on t p. hi i mon t t y th t t u n li t in 
t 1 1. 
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a) parallel form b) serial form 

Fig. 1. Alternate implementations of 4-stage WAKE-OFB 




Table 1. Contents of registers through Rq for time intervals TO to T4 



w u - mpl th output o th hi t- it v ion y ou w p o u 
th X t m output u n th o i in 1 p 11 1 v ion p o u on on- 

utiv t p . h i 1 o m i p ti ul ly tt tiv oh w impl m n- 
t tion u p t om th in ju t on mixin un tion to impl m nt 
th ont ol lo i o thi topolo y i uit t ivi 1. n h w th i 1 o m 
p o u n V th ou hput o it p lo k y 1 whi h i till uit t 
nou h o mo t ppli tion . 
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Not th t in o tw II I 

I I . h y imply i nt ut u lly v li p nt tion 

o in 1 omput tion 1 flow ph. 



o K n it iv tiv in mo t h nut 

onv ni nt m n o inin xt u ity. nt p tin thi t t y in th 

ont xtoth ilomo K- w n it uiv 1 nt to in in 
oth th 1 n th o th hi t it n th u - mplin to . i. . 5- t 

K - i uiv 1 nt to flv - t wo -wi hi t it who output 

i t k n on v y fl th t p. 

Now it om pp nt th t th tu lly o om to 

xploit . n th on h n w n in th num o it in th 

h in n in p n ntly w nit how m ny tim to t p th n to 
tw n output .1 ly i w X i th om in p n ntly th n th 

uiv 1 nt p 11 1 h w impl m nt tion i w t on 1 on Iv to i ov 
it will om thin oth th n th impl o m in i . 1 . ow v thi o 

not onnuin oh w inyw will impl m nt th i 1 o m 

n thi o m 1 o ully p ifl th t k in o tw 

V y tim th hi t it o i . 1 i t pp th t in . p ti i- 

p t in noth it tion o th mixin un tion. th mixin un tion i yp- 

to phi lly u ul th n w n xp t h ition 1 it tion to ont i ut 

ypto phi t n th to th ont nt o . in th m w y th t t n th 

umul t with th num o oun in n it t lo k iph . in th 

oth i t imply ol opi o wh t w on on in . it o not 

m tt whi h i t i t pp o output om th vi wpoint o ypto phi 

t n th. h V th output i t k n om it n on ly u th t 

th ypto phi t n th n lly in with th u - mplin to . 

n in th num o i t in th mount o t t th t n 

tt k n to u . t 1 o in th num o it tion o th mixin 

un tion y whi h th two input to th mixin un tion i . n n 1 th 

t thi ypto phi p tion th 1 h n th i o n un o tun t 

int tion tw n th two input u h on t u tiv in o m nt o om 

t ti ti 1 i . ow V y n lo y to i nti 1 h t i ti in it t 

lo k iph i th mixin un tion i known to h v n xploit 1 m- oun 

h t i ti th n it m y pp op i t to voi th in m 11 multipl 

0 thi num o it t tw n th input o th mixin un tion. 

u t th t o hi t it with n- t hown in i . 2 it 

1 ill vi to u - mpl y to o n — 1 in in thi th output 

t m V 1 input to th mixin un tion o om tim t p whi h 

m y ypt n ly i . 1 o ny u - mplin to 1 th n n will ult in 

th ont nt o mo th n on it in known o t 1 t om tim t p 

whi h imini h on o th pu po oh vin mo it i. . in in 
th mount o t t th t n tt k mu t u . 
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a) n-stage WAKE-OFB b) w-stage WAKE-ROFB 
(serial form) (serial form) 



c) same as b), showing 
pipelined mixing function 



Fig. 2. Forward and reversed forms of generators with an arbitrary number of stages 
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ypto phi u ity o p u o- n om u n u o t m iph 
mn thtnoonptoth un n p it om ny oth 
p t o th u n . hi u ity p op ty m k no i tin tion tw n th 
o w n tim v v ion o th p u o- n om u n . hu i 
( p u o- n om num ntouh K- pou 

ypto phi lly u u n th n th t m n to unnin in v 
mu t 1 o p o u ypto phi lly u u n . 



n 3 it w o V th t unnin th K - n to kw 

xpo th tim mu h omput tion Ip 11 li m w p nt in th 

o w V ion. 11 th v v ion K - . in th o w 

n V V ion pou th mkyt m imply in th oppo it o 
om on noth w 1 im th t th i u ity i i nti 1. 

ut ww Ito wn uiv Int ilomo K- 

w 1 to w n uiv Int ilomo K- .ni.2w 
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th n xt n — 1 p i o input to th mixin un tion 1 y t min 
o in p in ipl th ult o th n — 1 mixin un tion v In tion n 11 
p o m in p 11 1. 



hi p ovi u with noth it ion to ui on hoi o th num o 

i t t it houl u i nt to 1 t u tiv ly xploit th v il 1 

in t u tion-1 v 1 p 11 li m in th p o o on whi h th iph will un. 

viou ly th V il 1 p 11 li m h n hown to v nt on o 

i ntly xploitin in t u tion-1 v 1 p 11 li m in o tw impl m nt tion 

po t in 3 . not 1 v nt th t thi p 11 li m o im- 

pl m nt tion i th ility to pip lin th mixin un tion n th y in 
th m ximum lo k t t whi huh impl m nt tion n op t . 

ip linin i t hni u ommonly u inhw in mno 

in in th m ximum tt in 1 lo k to y t m. h m ximum lo k 
to y t m i oun y th Ion t p op tion p th th on h om i- 
n tion 1 lo i tw n ny two it. i nit topolo y Ilow ition 1 

it to pi in th Ion p th th n th tt in 1 lo k t n 

in 

n i . 2 w o V th t 11 nt on o th w- it it i. . th on h 

. _ pp in i with th output o th mixin un tion. hu th mixin 

un tion n in o po t n — 1 pip lin t whil m int inin th x t m 

p u o- n om u n th o i in 1 i nit. hi i - wn o 1 ity in 

i . 2 om whi h it i 1 th t v In tion o th pip lin mixin un tion n 

t k Ion n — 1 y 1 o Ion n w input pt n n w output 

i p o u on V y y 1 . on in p ti th it woul not imply 
pi in i with th ouput o th mixin un tion nt in t woul 
u i in i . h optimum po itionin o th it wh n mov in i 

th mixin un tion i p n nt on th p ifi p op tion 1 y th on h it 

V ion p th n n t min y t n h w int hni u . 

omm nt th t p -optimiz po itionin o th pip lin it m y pi 

th m t omput tion 1 w v ont o y mo th n w i n 1 ho whi h 
mu t it . o th in in p u to pip linin m y om t th 

o t o om m 11 in in it it . 
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Fig. 3 a) wake’s Mixing function b) Inverse mixing function 



d b d d d 

om th p in i u ion w th t th i th -w y t -o 
tw n h w i n y u ity n p ( oth o tw p n h w 

p with o tw p in mo o on n). 

h nmntoi.2( K- )o no ypto phi o p - 
omn vnt ovthtoi.2( K- )nonu ntly 

h no on to u . h un m nt 1 i tin tion tw n th two i th t 
K - How multipl mixin un tion to v In t in p 11 1 whil 

K - o not. hi i tin tion i n lo on to th i n tw n 

th i on i n loi o m o lin k hi t it. 

n 1 tin th num o w- it it o min th hi t it w t 

h w inynotw tt intth mount o v il Ip 11 li m 

(whi h up to point t nit into p )• o i nt op tion on om 
1 y P o o not ly th ’x 6 mily it i i 1 to k p th mount 
o t t m 11 o th t it n t y i nt in th v y limit it to 

th p o o . hi n 1 o on t int i i nt op tion i only 

ui on mo nt mily m m lik th ntium in in th m th 

it nlivp uonthl y it vnithlo ithm 

0 n’t n th p i liz in t u tion . 

n 1 tin th num o tim to t p th n to tw n output w 

1 tly t p in t u ity. n i tly w lot in th m oth 

in t h w ompl xity in in n 1 w mi ht xp t to n w 

it tion oth mlvlo u ity i th mixin un tion i m 
ompl X. 
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t X u t 

K ’ mixin un tion (x, y, T) om in two 32- it input x n y into 

on 32- it output with th i o k y- p n nt 256 — 32- it look-up-t 1 

T . t ummin th two input wo th low yt om th in x into 

th t 1 . h oth th yt hi t own y on yt n th n 

with th t 1 ’ output, y on t inin th v In in th upp yt 1 n o 
th oth wi n om’ nt i o T to o m p mut tion o th num 0 to 

255 th mixin un tion i m inv ti 1 in th n th t knowl o th 
output wo n on o th two input wo i u i nt to uni u ly p i y th 
oth input wo . h tion o th t 1 -look-up i to p mut th ottom yt 

n pi it in th top yt whil lop ovi in on u ion o th oth th 

yt . h i ht- hi t v to p op t h n to th i ht whil th ition 

op tion p ovi p op tion to th 1 t. h mixin un tion n it inv 

hown in i . 3. 

n tt tion o thi mixin un tion i th t it i v y t in o tw . n o - 

tun t ly o ou pu po th 256 — 32- it look-up-t Ip nt n un pt- 
Ih w u n. vniw ount h it uiv 1 nt to ju t in 1 

t th t 1 will t k ov 000 t.uutmnthtw n 

0 o m nitu m 11 th n thi . 

b 

0 th h w i u w mo i y th mixin un tion o th t th look- 

up-t Ip t m y omp ti ly impl m nt y ith o two on t u tion . 

h fi t on t u tion i two 16 — 16- it look-up-t 1 whil th on i 
in 1 256 — 32- itt 1. hfitontu tion i p o onomi 

h w impl m nt tion whil th on p ovi th t t o tw impl - 
m nt tion. 

n th h w with two 16 — 16- it t 1 h 1 o th o i in 1 

it o to on t 1 whil th on t 1 iv th oth . h p i o 16- it 
output om in to p o u 32- it wo y int 1 vin in hion th t 

1 i u It. 

hi t t y ult in on t u tion o whi h I I 

— I with on t in o m. on u ntly w n 

ontinu to impl m nt th mixin un tion y u in in 1 256 — 32- it t 1 
th y voi in in th p o mixin un tion v lu tion. 

h ult nt inv mixin un tion o u with th i t topolo y o 

1 . 2 i hown in i . . omp to th inv mixin un tion o i . 3 

whv lohn th hiti tion to th t o i . 3 n opt 

th o pon in t 1 fi 1 n ithm ti op tion. hi h no 

ypto phi i nifi n no imp t on th h w i n y ut th i 

n fit in o tw to xt tin th low yt th t 1 th th n 

th hi h yt . Low yt xt tion i imply m kin op tion whi h mploy 

th p o o’ L whil hi h yt xt tion n hi t . n p o o with 

multipl X ution unit it i ommon to h v mo L th n hi t .in w 
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2 y 




X = M'(y, Z, T) 

Fig. 4. Modified mixing function with split table 



Ion to hi t th oth th yt w w nt to voi tin ottl n k 

h 

no to m int in th v i ility o th n to w k p th mixin 
un tion inv ti 1 y pplyin h 1 ’ t i k to th upp ni 1 o h t 1 

i. . th upp ni 1 o h t 1 ont in k y- p n nt p u o- n om 

p mut tion o th t t 1 ’ on - it input. 

hil th m inin ont nt o th t 1 oul imply p u o- n om 

nt i in K ’ o i in 1 t 1 th t 1 iz in th n w v ion 
p i lly m 11 o th t t ti ti 1 i om mo o on n. o miti t 
thi on n w hoo to fill h o th oth th ni 1 1 n in oth t 1 

with th i own ky- pn ntp uo- n om p mut tion . 

dd d b b 

n omly fill 256- nt y look-up-t 1 will with hi h p o ility h v out- 
put who non-lin o i . ow v output om 16- nt y t 1 nnot 

h V non-lin o tthn.no to pi ly po i 1 in 

th non-lin ompl xity o th mixin un tion on in 1 n omly 

fill 256- nt y look-up-t 1 whil in u in no ition 1 h w u n 
w int 1 V th output o th two t 1 on it- y- it i x pt th t t 
yt oun i th int 1 vin o i 



V 
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hi i illu t t low wh it Aq — A om om on t 1 n 
Bq — B om om th oth t 1 



nt 1 vin th t 1 output on it- y- it i t th m ximum 
po i 1 int tion tw n th two oup o it in th i n xt n ount with 

n in ny i n t in i th th n t to mix it th t 

m om in p n nt t 1 . h vi tion om tit it- y- it int 1 vin 

i o th t th t Iw y om in output it om on t 1 with tho 

it in th hi t p th th t h v hi h t o 1 tion with th oth t 1 ( om 
n li mixin un tion). hi in i to m k 11 ultin it t on ly 

p n nt on oth t 1 po i 1 . 

p tition th o i in 1 yt into hi h n low ni 1 o in 

th two m 11 t 1 . hi iv h t 1 ont i ution om oth 

t 1 in li op tion u to th int 1 vin o t 1 output in p viou 
mixin un tion. h low ni 1 whi h in lu it 0 th t n h v h no 
influ n om t 1 i? th ou h th tion o y i in om th ition 

op tion in th p in mixin un tion i u th o t 1 B. 

nwhil th hi h ni 1 om th o t 1 A. n thi w y h 

t 1 ’ i ompo o ou hly v n ont i ution om oth t 1 in 

li op tion . th two oup o it th on ont inin it 0 

h t i tow t 1 A n y u in it 0 in t 1 i?’ w 

h Ip to V n out thi i . 

u p titionin o th it h no influ n on th p o m n o 

o tw impl m nt tion in how v w hoo to p tition th m w n 
Iw y on t u t n uiv 1 nt 256 — 32- it t 1 . 

d 

o V i ility o th wo -wi hi t it topolo y h n hi v 

y u in mixin un tion h vin it non-lin 1 m nt p u o- n om 

p mut tion th y m kin th mixin un tion inv ti 1 . ow v u h 

on t u tion i not t i tly n y to n u th t th t t m hin i 

V i 1 . 

n i . 5 w illu t t mo n 1 o m o th mixin un tion whi h 

u nt th V i ility o th t t m hin . . n . p u o- n om 

whil . i p u o- n om . hil i . 5 how 

n . in om in y x lu iv - th only ui m nt on th om inin 

op tion i th t it inv ti 1 o o in t n ition mo ulo 2' i u lly 

uit 1 . ypto phi lly u ul mixin un tion ui t 1 t on out o 

. . n . to non-t ivi 1. 

n now th t th li p opo mixin un tion i o th o m 
h vin non-t ivi 1 . whil . n . i ntity op to (i. . nt) with 

ition u th om inin op tion. 

w on i th wh only .ip nt hown in i . 5 w not 

th t in n th mixin un tion i th n uiv 1 nt to th oun un tion o 




oin 



r w r 



of w r 



ign of 



r m ip r 





Fig. 5. Reversible generators with alternative types of mixing function 



i t 1 n two k. hi i th int tin po i ility to pply th t hni u 

om lo k iph inn n ly i to thi topolo y knowin th t th ultin 

t m iph in nt to h v hi h op 11 li m. on . i 

not ui to un tion ut oul in t v y y hi t- it t p 

in th m w y th t ommon p ti in i t 1- lo k iph i n i 

o th k y h ul to int o u om v i tion in th oun un tion y oun 

num 



y u 



t y z t 



o ompl t t m iph finition two u th ompon nt initi liz tion o 

th k y- p n nt look-up-t 1 (k y h ulin ) n t m - yn h oniz - 

tion n to p ifi . i u th two op tion in li ht o on o 1 
oh w i n y. 

nti ip t th t V n in ppli tion wh n yption i p o m in 

h w th will ommonly xi t p o o o om kin u h mi o- 
ont oil u to o h t t th op tion o on um 1 t oni vi . 
hil u h nnot li upon to p o m iph in o hi h p 

t t m it i not un on 1 to 11 upon it to it with initi lizin 

h w - mixin un tion’ k y- p n nt look-up-t 1 o Ion k y 
h n 1 tiv ly in u nt. o thi on w How th k y h ulin 
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op tion to th mo ompli t th n woul i 1 i it h to 

p o m t i tly in h w in t on nin on Iv only to m k it 
1 tiv ly y to impl m nt v n on low- n mi o ont oil . p ifi lly only 
th on t u tion o th pi o 16 — 16- it tin tihtow o 

mi o ont oil not on t u tion o th uiv 1 nt 256 — 32- it t 1 in th 
1 t 1 i only ui o i nt I iph impl m nt tion . 

n th oth h n w w nt to How o th po i ility o u nt t m - 

yn h oniz tion without on n o un uly u nin th mi o ont oil in th 
th t n yption i in p o m in h w . o thi on w k p th 
- yn h oniz tion p o v y impl o th t it impl m nt tion in h w 
Ion i t ivi 1. p o m - yn h oniz tion y ttin th hi t it to 

n w t t th t i ol ly p n nt on uppli initi liz tion v to n th n 

t p th n to until it t t i tho on hly p n nt on th ont nt o th 

look-up-t 1 i in th n to ’ output Ion th w y. 

u t u t 

o p ovi th mount op 11 li m n y to ully xploit p o o 

plop o min ou o fiv 32- it op tion p y 1 w n fiv o ix 
32- it it t in ou hi t i t . hi i 1 o n pt 1 num o 

n i nt it- impl m nt tion on ntium . 

h w impl m nt tion o thi t m iph u in th p opo plit- 

t 1 mixin un tion with 32- it — 5- t hi t it n th n y 

ont ol lo i t k out 2000 t (with k y h ulin um to on 
in o tw ). 

u t two mo 1 

d 

hi mo 1’ 5- t hi t it How ou mixin un tion to v lu t 
on u ntly whi hit it tiv ly xploit th in t u tion-1 v 1 p 11 H m 
in m i -p o o u h th i i -1000. y in in th num 
o mixin un tion it tion tw n output to i ht om K - ’ 

o i in 1 ou w hop to mply omp n t o th plit look-up-t 1 . 
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n th pp n ix w p ovi p im n - o o thi mo 1 whi h w 
to N -5/ . h pp n ix in lu illu t tiv outin o k y 

h ulin n - yn h oniz tion op tion u in 12 - it k y n 6 - it 

initi liz tion v to . - yn h oniz tion o th o m p ifi t k out 

Ion iph in 32 yt . K y h ulin o tw oh w - it im- 

pl m nt tion n only p omthfithlothky h ulin outin 
in whi h th pi o 16 — 16- it t 1 on t u t . 

d 

hi mo 1 i uiv 1 nt to - t K - x pt th t with ou mo - 

ifi mixin un tion w xp t it to w k . ou i th minimum num 

0 it tion n y o ompl t i u ion o th mixin un tion. 

hil thi mo 1 only h th - ol p 11 li m thi h not n oun 

to th limitin to on th ntium . o t t th n two- ol p - 
11 li m out o th ntium ui t kin v nt o th pl- 

1 li m V il 1 th ou h th in t u tion . ow v in p ti w h v 
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X t t 

h ollowin - o impl m nt th omm n 5- t / - t p wo -wi 
non-lin - k hi t it mo 1. p im n outin o k y h ulin 

n t m - yn h oniz tion in lu o th pu po op ovi in om- 

pl t iph p opo 1 o ypt n lyti inv ti tion. hi o i un tion 1 
n only n o not p nt 11 th p o m n optimiz tion m o - 

i in th n hm k o 

/* WWNFSR-5/8, C-code reference, version 1.0 */ 

/* 5-stage word-wide shift register with output saitpled on every 8th step. */ 
/* Key-schedule illustrates mixing- function with split look-up-table. */ 

typedef imsigned long UINT32; /* 32-bit unsigned integer */ 

/* Array sizes - UINT32 T[256], key[4], IVec[2], state[5]; */ 

/* addition is modulo 2^^, » is right shift with zero fill */ 

#define M(y, z,T) ( (y) + (((z) » 8) ^ T[(z) & Oxff ] ) ) 



void ofb_crypt(UINT32 *In, UINT32 *Out, int length, UINT32 *T, UINT32 *state) 

*■ UINT32 Rl, R2, R3 , R4, R5, Rt; 
int i; 

Rl=state[0] ; R2=state [1] ; R3=state[2] ; R4=state[3] ; R5=state [4] ; 
for (i = 0; i < length; i++) 

/* Naive implementation of shift-register obscnres available parallelism */ 

/* for (shiftstep = 0; shiftstep < 8; shiftstep++) */ 

/* { Rt = M(R4,R5,T); R5=R4; R4=R3 ; R3=R2; R2=R1; Rl=Rt; } */ 



/* Logically equivalent flattened form makes four-fold parallelism clear */ 



Rt = M(R2,R3,T) ; /* */ 
R3 = M(R3,R4,T); /* All four mixing fimctions */ 
R4 = M(R4,R5,T); /* can be evaluated in parallel */ 
R5 = M(R1,R2,T) ; /* */ 

R2 = M(Rt,R3,T) ; /* */ 
R3 = M(R3,R4,T); /* All four mixing fimctions */ 
R4 = M(R4,R1,T); /* can be evaluated in parallel */ 
Rl = M(R5,Rt,T) ; /* */ 

Out[i] = In[i] ^ R5; /* Execution can overlap with second */ 
/* group of mixing functions */ 



state[0]=Rl; state [ 1 ] =R2 ; state[2]=R3; state [3] =R4; state [4] =R5; 



void resync (UINT3 2 *IVec, UINT32 *T, UINT32 *state) 

/* set state from initialization vector and discard first eight words */ 

UINT32 temp [8] ; /* bit-bucket */ 

state[0] = state[3] = state[4] = IVec[0]; 
state[l] = state[2] = IVec[l]; 

ofb_crypt ( temp , terrp, 8, T, state); 
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void keY_sched(UINT32 *key, UINT32 *T) 

/* build 16 X 16 look-up-tables Tb, Ta, and 256 x 32 table T from 128-bit key */ 
^ UINT32 i, j, k, n, mask, xordif; 

UINT32 TbTa[16] ; /* pair of 16 x 16 look-up-tables stacked side-by-side */ 

/* initialize permutations in each nibble-lane of TbTa */ 

for (i = j = 0; i < 16; i++) { TbTa[i] = key[3] ^ j ; j = j + 0x11111111; ) 
k = 0; mask = OxOOfOfOff; /* mask selects four out of eight nibbles */ 
for (j = 0; j < 8; j++) /* do for each of 8 mask values */ 

^ for (i = 0; i < 16; i++) /* do for each of 16 table entries */ 

/* scan across key and table nibbles to define table entry for swap */ 
n = (TbTa[i] » (j*4)) + (key[(j*2 + i/8) & 0x3] » ((i*4) & Oxlc) ) ; 
k = (k + n) & OxOf; 

/* swap masked nibbles between TbTa[i] and TbTa[k] */ 
xordif = CItoTa[i] ^ TbTa[k]) & mask; 

TbTa[i] = TbTa[i] ^ xordif; 

TbTa[k] = TbTa[k] ^ xordif; 

} 

mask = (mask « 4) | (mask » 28); /* rotate mask left by 4 bits */ 



{ /* build 256 x 32 table T by interleaving left and right halves of TbTa */ 
UINT32 a, b; 

UINT32 expand[16] - { 0x00,0x01,0x04,0x05, 0x10,0x11,0x14,0x15, 

0x40,0x41,0x44,0x45, 0x50,0x51,0x54,0x55 ); 

for (i =0; i < 256; i++) { T[i] = 0; } /* clear look-up-table T */ 
for (j = 0; 3 < 16; j++) 

*■ k = TbTa[j] ; 

a = (expand) (k » 0 ) & Oxf] « 0 ) ^ (expand) (k » 4 ) & Oxf] « 9 ) 

^ (expand) (k » 8 ) & Oxf] « 16) ^ (expand) (k » 12) & Oxf] « 25); 

b = (expand) (k » 16) & Oxf] « 1 ) ^ (expand) (k » 20) & Oxf] « 8 ) 

^ (expand) (k » 24) & Oxf] « 17) ^ (expand) (k » 28) & Oxf] « 24); 

for (i = 0; i < 16; i++) /* fill look-up- table T */ 

{ T)i+16*j] = T)i+16*j] ^ a; T)16*i+j] = T)16*i+j] ^ b; } 



X t 



void test (void) 

^ UINT32 key)4] = { 0x12345678, 0x98765432, OxabcdefOl, OxlOfedcba }; 

UINT32 IVec)2] = { Oxbabeface, 0xf0eld2c3 }; /* Initialization Vector */ 

UINT32 text)4] = { 0xl234abcd, 0xa0blc2d3, 0xla2b3c4d, 0x55667788 }; 

UINT32 T)256], state)5]; 
int i; 

key_sched(key, T) ; /* Schedule key * / 

resync(IVec, T, state); /* Initialize generator state using IV */ 

for (i =0; i < 256; i++) /* Encrypt text buffer 256 times */ 

{ of b_crypt ( text , text, 4, T, state); } 

for (i =0; i < 4; i++) { printf ( "0x%081x ", text)i]); } printf ( " \n" ) ; 



/* final text)] == { 0xe5650b3d, 0xfdb4dcal, 0xc904bl28, 0xd25fl934 } */ 
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on th p o 1 m of gn ng 1 k ox ymm t 

ph th t 1 k nfo m t on y n j/ to th 

gn . how how to on t u t ph wh h w 11 onk y 

thtlkonky tp output lo k to th gn of th y t m 
( n ny mo ). h k y t Ik only f p t ul pi nt xt t 
known to th gn (known t/m g tt k wh h typ lly 
V 1 1 n pi n ) • h tt k of kl ptog ph n tu t g v 

un qu V nt g to th gn wh 1 u ng t ong ( .g. xt n lly 
uppl ) k y . h n w ulty w th th gn of poof 1 lo k 

ph th t t (p V ou tt k xplo t 

n omn nkygn tonom g n ypt on/ gn tu ) n th 
f t th t w o not w nt y ( t t t 1) o v 1 ty of th poo ng 

( .g. th V 1 ty of ph t xt houl not 1 wh n k y h ng 

t .). 

t ngu h tw n th nt t th gn th v ng n 
n th u . how gn m tho ology th t u th t (1) f th 

V not V ng n th tt k u (n m ly th ph 

goo ) n un t t 1 (2) f th v v ng n th n th 

V ng n 1 n t mo t on pi nt xt t f om v y ph t xt 

( ut no p t/futu k y ) n (3) th gn 1 n on pi nt xt t 

n on k y t f om h ph t xt lo k ( y n mo ). h 

m tho th fo h ghly outgnt v ngn ng. 

: esign metho ologies or symmetri iphers se ret ryptogr phi 
Igorithms spoofing kleptogr phi tt ks trust so tw re vs. t mper-proo 
h r w re esigns t mper-proo reverse engineering pu li s rutiny. 



he government h s propose re ently 1 ssifie se ret lo k ipher lie 
kip k s p rt o the lipper niti tive. urthermore sin e the mi 80’s the 
N ’s ommer i 1 n orsement rogr m h s een tive trying to 

se ryptogr phy or se ure omputer n ommuni tion se on t mper- 
proo evi es (see h p ge 98). he motiv tion o this p per is to investig te 
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the possi ilities o esigning se ret symmetri iphers with sophisti te tr p- 
oors th t re h r to ete t n re immune to reverse engineering n t the 
s me time m int in the si properties o lo k iphers. he issue is essenti lly 
metho ologi 1 s it points t potenti 1 non-trivi 1 le k ge tt ks whi h re 
possi le with 1 k- ox ipher esigns s oppose to pu li esigns. ( ur go 1 
is neither to un ermine kip k nor to 1 im ny on rete tt k we merely 
point t wh t we elieve is thre t o se ret esigns th t is eyon giving trivi 1 
known v nt ges.) 

e first note th t it is e sy to mount tt ks on se ret evi es e.g. y 
fixing their keys, u h trivi 1 v nt ge o e sily reverse-engineere se ret ipher 
(reverse engineering h s een shown to e on rete possi ility re ently n n 
e one y omp ny with well-e uippe mi ro-ele troni 1 or tory). his 
risks the esigner’s uni ue v nt ge (o getting other p st/ uture keys), hus 
one m y rgue th t su h esigns will not e put to use (e.g. y n gen y whi h 
is on erne out losing out to the resour e ul omp nies). n the other h n 
with uni ue v nt ge even ter reverse engineering esigner o se ret 
Igorithm will h ve less hesit tion to put it in gener 1 use. he ove simplisti 
tt k is Iso e sily ete t le when en ryptions un er suppose ly ifferent 
keys” turn out to e i enti 1. nother tt k is y ing n en ryption o 
the key un er se ret esigner key to iphertexts; this will e e sily noti e le 
ue to t exp nsion. t will not e possi le to 1 ssi y su h esign s lo k 
ipher. et nother tt k is y esigning se ret evi es using pseu or n omness 
known to the tt ker. owever lo k iphers re eterministi un tions su h 
th t when given the s me input with the s me key the s me result is expe te . 

hus one m y employ pseu or n omness or en ryption whi h is erive rom 
the key n mess ge ut then the en ryption epen s strongly on the key 
whi h is unknown to the esigner ( tt ker). gnoring the key or using only 
p rti 1 key is st tisti lly ete t le. 

oving he we then noti e th t when we resort to known mess ge t- 
t ks we m y on e in while le k key its so su h tt ks n e more power ul 
in tt king, his le k ge shoul not estroy the u lity o the ipher (e.g. m ke 
it inse ure w.r.t. ifferenti 1 or line r rypt n lyti tt ks or other st tisti 1 
tt ks). e woul like to go even urther n h ve the ipher e immune to 
reverse engineering whi h is hr teristi o kleptogr phi tt ks” on 1 k 
ox evi es (e.g. t mper resist nt h r w re), his me ns or ex mple th t the 
pseu or n om un tion’s perm nent key is not expose ter reverse engineer- 
ing. it were expose then the se ret keys use with other evi es woul e 
expose . e hope th t the ove is ussion reve Is some o the re sons ehin 
the metho ology we propose herein. 

here h s een mu h re ent work on esigning ryptosystems to le k se ret 
in orm tion se urely n su limin lly to the esigners. he si notions un- 
erlying these tt ks s well s tools th t omplish them were evelope in 
96 97 97 . pe ifi lly they intro u e the notion o t- 

t k where st n s or e retly m e e r p oor with nivers 1 

rote tion” . n their tt k it is se retly em e e tr p oor (pu li key) th t 
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is use to se urely le k the se ret in orm tion out o the ryptosystem. heir 
tt ks re ge re spe ifi lly tow r s pu li key systems n exploit r n om- 

ness n su limin 1 h nnels 9 in key gener tion mess ge en ryption n 

signing, ere we show how to per orm these tt ks on eterministi symmetri 
lo k iphers th t re se ret. e will propose esign we 11 onkey” . 

he onkey’ is gener 1 esign ( metho ology). or on reteness n 
1 rity o present tion we give n Igorithm whi h uses n 80 it key n h s 
lo k size o 6 its. 

he esign h s n spe t whi h is inherently more h llenging th n 
tt ks. N mely we w nt to How strong ipher n the use o the tu 1 1 rge 
key sp e (th t is to esign re 1 lo k ipher) n lo k iphers in turn re e- 
terministi Igorithms (implementing permut tion whi h is length-preserving) . 
he tt ker nnot ontrol the hoi e o (strong n r n om) keys use y the 
ipher (we w nt to How extern 1 sour e keying), urther the tt ker nnot 
know when it h s ess to mount the tt k (we nnot ssume some p rti 1 
ontrol over the evi e oper tion). n 11 the e rly work on s the t 

th t the pu li key Igorithms (key gener tion or signing) were pro ilisti in 

n ture w s exploite . hus the n tur 1 uestion is how n we esign klep- 

togr phi tt ks in this ully eterministi setting? n the present p per we 
show th t i we re le to mount minim Hsti known-pl intext tt ks (known 
it per mess ge) then lose pproxim tion to tt k ( lie u si- 

) n e per orme on symmetri ipher with se ret spe ifi tion (the 
notion o u si- m y e o in epen ent interest), he tt k gives ex lu- 

sive V nt ge to the esigner s in n h s strong prote tion g inst 

reverse engineering (whi h is nee e given the potenti 1 o reverse engineering o 
t mper resist nt evi es whi h h s een emonstr te re ently in some settings 
K96 ). 



ur tt k e rs resem 1 n e to setup tt ks let us re 11 wh t is setup n 
efine our u si-setup tt k. he ollowing is the efinition o regul r setup 
97 
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V te key p ir su h th t the upper or er its o the pu li key n e use y the 
esigner to ompute the orrespon ing priv te key. ore gener lly they prove 
th t ny ryptosystem th t out ins su limin 1 h nnel ont ins 
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version, n 97 it w s shown how one o the exponents in iffie- ellm n 
key ex h nge n e se urely n su limin lly le ke to the esigner over the 
ourse o two (wlog) onse utive key ex h nges. his setup tt k w s the first 
setup tt k th t i not m ke use o expli it su limin 1 h nnels ut r ther 
gener te h nnels or le k ge ue to repe te exe utions. n 97 setup 
tt ks were given or the 1 m 1 pu li key ryptosystem the 1 m 1 ig- 

it 1 ign ture Igorithm the igit 1 ign ture Igorithm hnorr n other 

systems, he tt ks on the sign ture s hemes le k the priv te signing key over 
the ourse o two (wlog) onse utive sign tures. 11 the ove tt ks use r n- 
omness employe y the ryptosystem. 

ijmen n reneel 97 g ve mu h more m itious ire tion whi h is 
ifferent rom ours, hey suggeste the onstru tion o the first ex mple tr p- 
oor iphers emonstr ting th t even n open esign h s to e justifie or 

pseu o-r n omly gener te to voi potenti 1 spoofings. ( ow se ure is their 

esign n i strong tr p oors exist t 11 re still open), n ee the potenti 1 
existen e o tr p oor iphers Ire y points t ifli ulty with se ret esign. 
e will show th t with onkey the tt k is ssure n Iso the tt k n 

e se on minim 1 knowle ge (known it tt k) n the length o key 

re overy tt k n e mu h shorter th n the spe ifi tr p oor iphers se 

tt k in 97 ; (these re o ourse v nt ges o tt ks on hi en esigns 
whi h re e sier in n ture). 

n ppro h to gener ting trust” in se ret ipher esign w s ttempte 
y pro u ing report o n inspe tion te m in 93 in the ontext o kip k 

(more out th t report see 9 ). he su tleties presente here m y poten- 

ti lly st some extr on ts on se ret w y to ssure trust y known te m 
(sin e one oes not know how mu h the te m knows n wh t in orm tion w s 
m e V il le to it), owever we must mention th t y the s me token we 
nnot h ve ny on rete ompl int g inst the spe ifi report ove. 

in lly let us mention th t in the ontext o the re ent N initi tive to 
esign the next gener tion o lo k ipher st n r ( ) the work here re- 

en or es the notion o pu li s rutiny o suggeste st n r s (to voi v rious 
tr p oors whi h re in ee possi le). 



he onkey se ret symmetri ipher t kes n 80 it symmetri key s input 
in ition to 6 its o pi intext, t outputs 6 it iphertext lo k. onkey 
uses or pre- omput tions the LLl pu li key ipher to e es ri e . e 
ssume th t onkey is se ret ipher. his is o ourse nonsensi 1 sin e we 
re pu lishing it now. h t we me n is th t our suggestion is n inst n e o 

metho ology o esign n we n ssume th t ipher like it ( v ri nt) m y 
e kept se ret n implemente . e ssume th t it is t mper-resist nt so th t 
it is h r to get. etho ologi lly wh t is import nt is this 1 st t (o eing 

h r to get i.e. 1 k- ox to the user) n not the ex t physi 1 ssumption 
out t mper resist n e (we re ully w re o re ently is overe we knesses 
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o ert in su h 1 ime esigns while we re w re o other esigns whi h were 
not reverse -engineere so r). 



n st key ex h nge Igorithm w s given th t uses ellipti urves. n 

their s heme the urve E is set o points {x, y) with x n y lying in the fiel 
F 2 --- ■ hey implement ifhe- ellm n over this urve using pu li ly efine 
point P on E. his s heme ppe rs to e se ure s long s the n ex 1 ulus 
metho nnot e exten e to ellipti urves. 

t is trivi 1 m tter to efine pu li key en ryption Igorithm se on 
iffie- ellm n over E. uppose li e wishes to en rypt the mess ge m where m 
is 80 its in size, li e wishes to sen this mess ge to o whose priv te key 
is X where x is in the r nge 2 or er{E)-2 . o ’s orrespon ing pu li key is 

the point y xP. o sen the en ryption o m li e hooses r n om integer 

r in the r nge 2 or ev{E)-2 n omputes kP y iter ting the ition o P 
using the ou le n ” s heme, li e then omputes z ry. li e n then 

use some or 11 o the sh re se ret string H{z) to en ipher the v lue m to get 

the V lue c. ere El is suit le h sh un tion. Note th t c nee only e s 

1 rge s m. li e then sen s (rP, c) to o . e ryption is str ight orw r . Note 
th t li e sen s o 310 its orrespon ing to rP plus 80 its th t onstitute c. 

en e li e sen s o 390 its o in orm tion. Note th t the iphertext size is 
sm Her th nwh t is possi leusing with 12 it mo ulus, nthisp per we 
efine this to etheSMALLlpn li key ryptosystem. en e SMALLl uses 
r n om p r meter r th t is s le st 2 n t most or er(P)-2 n t kes pu li 

key y s input. SMALLl t kes 80 its o input t m. n pro u es 390 it 

iphertext c. . he oper tion o SMALLl enote y c. SMALLl{r,y,m.). 
Let SMALLl enote e ryption. en e m. SMALLl {x,c.). 



he esigner hooses keye pseu or n om un tion F th t t kes s input 

1 rge see (key) s n 63 it input x n pro u es 63 it output y. or 
n expl n tion on how to onstru t pseu or n om un tions see 86 . he 

oper tion o P is enote y y F (s,x). he esigner Iso hooses two 
see s s n S 2 uni ormly t r n om ( rom the see s o the given length), he 
esigner hooses priv te key a; r n omly or use in LLl n omputes the 
orrespon ing pu li key y. he esigner puts (P ,s ,S 2 ,y) in the 1 k- ox 
evi e n keeps x priv te. 



Let K enote the 80 it key o the user, he user wishes to use the 1 k- ox 
evi e to en rypt the 6 it pi intext mess ge m to get the orrespon ing 6 
it iphertext c. he oper tion o onkey is enote yc onkey(P m). he 
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evi e ont ins se ret symmetri lo k ipher lie CIPHER!. CIPHER! 
t kes 63 it symmetri key k. n 63 it pi intext m. . CIPHER! pro- 
u es 63 it iphertext c. . e enote the oper tion o CIPHER! y c. 
CIPHER!{k. TO.), he orrespon ing e ryption oper tion is CIPHER! . 
en e to. CIPHER! (k.,c.). Let H enote ryptogr phi lly se ure h sh 
un tion (e.g. ollision intr t le un tion or pseu o-r n om un tion) th t 
m ps {0, 1} to {0, 1} . G is r n om un tion th t m ps {0, 1} to v lue 
in the interv 1 2 or ev{E)-2 . he ollowing is the omput tion o onkey(iL to) 
to get c 

1. TO. is set to the lower or er 63 its o to 

2. k. H{K) 

3. c. CIPHER!{k.,m.) 

. the lower or er 63 its o c is set to c. . 

. r G{K) 

6. c. SMALL!{r,y,K) 

7. i F (s ,c. ) mod 390 

8. b is set to the tth it o c. . 

9. z F (s 2 , c. ) mod 2 

10. p is set to the most signifi nt it o to 

11. the most signifi nt it o c is set to e & 2 ; p 



he ollowing is the oper tion o onkey’(K ) whi h returns to 

1. c. is set to the lower or er 63 its o c 

2. k. H{K) 

3. TO. CIPHER! {k.,c.) 

. the lower or er 63 its o to is set to to. 

. r G{K) 

6. c. SM ALL!{r,y, K) 

7. i F (s ,c.) mod 390 

8. b is set to the tth it o c. . 

9. z F (s 2 , c. ) mod 2 

10. p is set to the most signifi nt it o c 

11. the most signifi nt it o to is set to e 6 2 p 



uppose th t we m n ge to o t in 390 iphertexts c c ... c su h th t we 
know the le st signifi nt its o the 390 orrespon ing pi intexts, uppose ur- 
ther th t (s ,c. ) mod 390 or 0 < j < 389 is permut tion on 0 1 ... 389. 
he ollowing Igorithm omputes the iphertext it in c. orrespon ing to c. . 



1. c. is set to the lower or er 63 its o c. 
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2. i F (s ,c. ) mo(i 390 

3. z F (s 2 , c. ) mod 2 

. p is set to the most signifi nt it o to. 

. p is set to the most signifi nt it o c. 

6. outputs p z p 

he ove Igorithm is pplie to c c ... c to re over the iphertext c. . 
e then e rypt c. using x to re over K. e hoose the most signifi nt it sin e 
i the pi intext is or inst n e this it is known to e zero, n t sin e 

the lo k size is 6 its i the pi intext is we n le k using n wi th 

o 8 its. nother possi ility is to ompress the pi intext (when possi le) n 
then high or er its whi h re known e ryption will e ompress. 



he ove ipher is on ten tion o two se ure iphers. he pro lem is the 
sep r ility o the iphers so th t mess ges th t iffer only t the 1 st it h s 
iphertext whi h Iso iffers on th t it. ( his sep r ility in gener 1 m y 
help in tt ks like hosen mess ge tt ks. his is the se here s mess ges 
ome in p irs n when they iffer on the 1 st it the iphertext o one implies 
th t o the other in the p ir). his n e over ome y s ing o iphers. 
N mely y post-pro essing (pre-pro essing in e ryption) y 2 whi h 

employs (s y t le st our) eistel tr ns orm tions se on Lu y- koff’s 
onstru tion L 88 with fixe se ret pseu or n om un tion. his spre s 
the lo 1 ifferen e in the 1 st it only uni ormly over the resulting iphertext. 

nother spe t th t we i over re ully re the sizes o the v rious keys 

(o the pseu or n om un tions). we nee 1 rger keys in tot 1 we m y erive 

these keys pseu or n omly (using se ret fixe intern 1 see ) rom the given 
key. 



here re two perspe tives with whi h to n lyze the se urity. hose perspe tives 
re the 1 k- ox perspe tive n the perspe tive o n tt ker who is le to 
reverse-engineer the evi e (hen e no 1 k- ox ssumption) . n this se tion we 
onsi er oth o these in turn. e ssume th t the iphers n pseu or n om 
un tions use 1 LLl G F[ n F re se ure. 

Now we ssume th t given user is un le to reverse-engineer the 1 k- ox 
evi e. t ollows th t (7 is Ik- ox ryptosystem with priv te spe ifi tion 
rom the user’s perspe tive. 

e note th t spe ifi se urity o lo k ipher” is not efine here (o 
ourse su h generi efinition oes not exist ). ur gener 1 metho ology there- 
ore ttempts to preserve within the over 11 onkey esign wh tever se urity 
notion” 1 h s se on the strong se urity properties o the other 

uil ing lo ks (pseu or n om un tions n permut tions). ne m y rgue 
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th t wh t we ssume re he vy ryptogr phi tools; ut this shoul not e 
pro lem t this st ge o the evelopment o the metho ology. n ee we le ve 
open the issue o minim 1 ssumptions nee e s well s the effi ien y o esign 
o iphers with u si- . h t we 1 im is 

ssu 2 S G H F 

s u Monkey s x s s w vs 

C s u s s u s 

. c. onstitutes se ure en ryption o m. sin e 1 is se ure sym- 

metri ipher. t rem ins to show th t the le st signifi nt it o c onstitutes 
se ure en ryption o the le st signifi nt it o m. in e is se ret pseu o- 
r n om un tion n sin e S 2 is unknown it ollows th t -F (s 2 ,c. ) is r n om 

n unknown to the user, hus z F (s 2 ,c. ) mod 2 is r n om se ret it 

with respe t to the user, in e this it is ex lusive-or’e (one-time p e ) with 
the le st signifi nt it o m the le st signifi nt it o c onstitutes se ure 
en ryption. 

Now the two se ure v lues give two sep r le en ryptions n n e viewe 
s se ure lo k ipher on 63 its on ten te to one- it strong stre m ipher 

en ryption. he urther eistel like tr ns orm tions in 2 se on 

pseu or n om un tion whi h strengthen the esign ssure strong insep r le 
en ryption ( ue to the v 1 n he” properties o pseu or n om un tions) n 
prevents e sy hosen mess ge tt ks. he over 11 ipher n e viewe s two 
iphers s e . he s e is s se ure s the first ipher (or s e ho the 

iphers or we ker tt ks) 93 8 . 

e 11 th t i the pseu or n om un tion (its key) is not known then the 
V lue o the un tion t point nnot e pproxim te even in very li er 1 
sense even i the v lues o the un tion t polynomi lly m ny other points is 
Iso given 86 . t is this property o pseu or n om un tions th t m kes 

this tt k se ure; pr ti 1 esigns o pseu or n om un tions n e se on 

iter te strong lo k iphers with 1 rge keys, nly minim 1 mount o se urity 
t est is s rifi e y using the 63 it lo k ipher 1 s oppose to 

true 6 it lo k ipher (e.g. it is very e sy to mo i y to work on 63 its). 

he ition 1 it en ryption o the 1 st it is strong ipher s well. Note Iso 
th t ipher esigns th t re tun le to e h size in sm 11 gr nul rity (e.g. s 

in the N ’s spe ifi tions) h ve this is v nt ge o eing potenti 1 

1 omponent in onkey esign where the ifferen e (one it in our 

se) is the mount o re uire known its per mess ge. 

Now suppose th t n tt ker m n ges to reverse-engineer the evi e (thus 

2 n e ignore here ter), he tt ker there ore knows (F ,s ,S 2 ,y) 

n the omplete spe ifi tion o the ipher onkey. n this se the reverse- 

engineer is le to re over t most the le st signifi nt it orrespon ing to 
the iphertexts th t re output y the evi e s long s suffi lent num er o 
known-pl intext its re g there . o see this note th t the reverse-engineer 
n re over the it z rom the se ret key re overy Igorithm in the s me w y 
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s the esigner. in e the reverse-engineer Iso knows p n presum ly the 
le st signifi nt it o m he or she n ex lusive-or these three its together to 
re over one o the its o c. . the reverse-engineer gets suffi ient num er o 
known pi intexts the reverse-engineer n re onstru t c. . hen e uippe with 

the V lue c. or given key K (not v il le in the evi e t time o reverse 
engineering i.e. p st or uture key) the reverse-engineer n e rypt the le st 
signifi nt pi intext its o 11 v lues en rypte with K. n the reverse-engineer 
Iso re over the its o K like the esigner? he nswer to this is no s we will 
1 im next. 



ssu S G H F s u 

V s s u X / X s 

su ss u V s s u u K. 

onsi er the iphertext v lues th t result rom p rti ul r it", in e we 

ssume th t 1 is se ure the reverse-engineer is un le to le rn nything 

out k. n hen e K rom the 63 upper or er its o the iphertexts lone. 
Note th t the ppli tion o the pseu or n om un tion to c. to erive the le st 

signifi nt iphertext its h s the effe t o the ppli tion o r n om or le to 

c. to get the le st signifi nt iphertext its. hus nything th t n e e u e 
out K rom 11 o the its o the iphertexts n e e u e rom the le st 

signifi nt its lone, o it rem ins to onsi er wh t n e e u e rom the 

le st signifi nt its o the iphertexts lone, in e m c n (F , s , S 2 ) re 

Ire y known to the reverse-engineer the reverse-engineer knows c. . t rem ins 
to show th t nothing out K n e le rne rom c. . in e we ssume th t 
G is se ure r n om un tion G{K) is r n om string to the reverse-engineer. 

o sin e LLl is se ure pu li key ryptosystem LL1( (K) yK) 
c. is se ure pu li key en ryption o K. 

1 im 2 hinges on the tthtF n G rern om un tions n th t 

LLl is se ure pu li key en ryption un tion. t the s me time 1 im 

1 rgues th t in the event th t the evi e is never reverse-engineere n in 

the event th t the esigner never uses his or her power onkey s se ure 

symmetri ipher. hus in summ ry the p ility o users with respe t to 

onkey n e roken own into three ifferent tegories 

1. sers who re un le to reverse-engineer the evi e re un le to le rn ny 
pi intext. 

2. sers who re le to reverse-engineer the evi e when given enough known- 

pi intext re le to le rn one pi intext it o every iphertext. 

3. he esigner when given enough known-pl intext is le to le rn 11 pi in- 
text its o every iphertext (sin e it monopolizes the keys in use). 

iven the ove two 1 ims re 11 Iso th t onkey n e lo e with 

extern 1 keys, onkey there ore onstitutes u si-setup. 

Note th t this p per provi es motiv tion or h ving new pu li key ryp- 

tosystems th t output very sm 11 iphertexts (su h s hemes with yet h r to 
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n lyze se urity se on polynomi 1 m nipul tion h ve een esign e.g. in 
96 ). pu li key ryptosystem exists th t outputs iphertexts th t re 
s y 200 its in size then r ewer known-pl intexts nee to eg there to le k 
the se ret key K se urely. ( he size o the pu li key lo k is rel te to the 
num er o known mess ges re uire ). 



e intro u e the notion o u si-setup n emonstr te symmetri ipher 
( onkey) whi h onstitutes u si-setup, e showe how to esign se ret i- 
pher th t gives n un ir v nt ge to the esigner n th t is very ro ust 

g inst reverse-engineering, ur results imply th t se ret symmetri iphers im- 
plemente in 1 k- ox settings shoul only e use i they ome rom truste 
sour es n nnot e simply truste se on extensive st tisti 1 testing, t 

strengthens the nee or open ipher esign efforts, e i not ttempt to hi e 
whi h known it” is re uire or the tt k. t m y e the se th t in more 
onvolute iphers where this nee e - it is not spe ifie the om in tion o 
intern 1 stre m ipher oper tions pseu or n om oper tions like - oxes n 
eistel tr ns orm tions n exponenti tion oper tions n even hi e whi h its 
re nee e to e known ( n m y ev e n inspe ting te m 1 king the origin 1 
esign o uments). 

in lly effi ient n minim 1 esigns n esigns th t m int in spe iff prop- 
erties o lo k iphers while en ling u si- tt ks re le t s open 

uestions. 
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h p 00 o thi 1 mm i t h in pp n ix 5. 

n L mm 9 p op ty 3 how th t two v lu th t ompl m nt o h 
oth m pp to th m V lu . hi i n un i 1 p op ty o h hin . 

t n mov y t i tin ( ) to polynomi 1 with n o num o 

t m o It n tiv ly y t i tin input to u t“olmnto „ 

on i tin o 1 m nt o th o m (a 0). 

L t rain iniiia6_F„ a- H um th t h h V lu o ompl m nt 

i tin t in vi w o th two p opo m tho . n —mrd{ ) i w only on i 
lin iz polynomi 1 o 1 th n th n th ollowin p op ti 

hoi th y i t on qu n o L mm 9. 
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3 ) s — n r 2 ss s un t n w t 
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0 th i t i low oun n i u u lly 1 th n wh t i u in 

y t m . Ithou h oth h h un tion n ppli to u th iz o th 
i t th iz o th o i in 1 m lo will m in 1 .0 x mpl o 

140 wo i t 1024 wo m iz mu t u . o 32 it m hin 

thi ult in 1 V lu o th minimum iz o th m . th m 

1 n th i 20 wo th n th i t i 7 tim Ion th n th m n o 32 

it m hin m p 640 it to 44 0 it . o in th i 1 ov h in 

th omput tion wh nthm Inthi mlll3. v lly oh hin 

in o w y’ - m no n wh n th m 1 n th i m 11 n 
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n xt n iv ly tu i in th lit tu 5 . 
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u in th -o it ( onju y oup ). in h 1 m nt o n o it h th 
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o ( ") i ( )“ u p whi h i inv i nt un i. . 

mo ulu i union o -o it 12 -polynomi li lin iz 

polynomi 1 ( ) who o i nt li in th oun 1 ( ). 

upp s { ) s nr p n v r (”)• r s 

()r uus ()s p n 
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(f2) — V — w r V n r nv r nt (2) 

su sp s. 

L t ( ) th olut t o — (2”) ov (2) th n ( ) 0 

0 1. o ov V a + -\ i th z o u p i (a) 0 it i 

1- im n ion 1 -inv i nt u p i (a) 1. 

uppo now th t i p im u h th t 2 i p imitiv mo i. . 2^*“ = 

1 mo n — 1 i th 1 t pow o 2 o whi h thi i t u . 
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(horn 3.50 ). 

Now i ( ) o om thno 11 — — ^whv ( + ) 

( ) + ( ) . onv ly i ( ) ( ) th n ( + ) 0 ( ) 
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M ny ryptogr phi pro rsththnl vry long it-strings m k s 
o h sh n tion. h s rity o th s pro r s r li s on th c 

c o th h sh n tion in s or on th n tion s r n omizing t. 

h sh n tion is ollision-r sist nt i it is in si 1 to fin p ir o istin t 
rg m nts s h th t ( ) ( ). 

hr r s V r 1 ppro h s to th sign os h h sh n tions. hil it 

is not known wh th r ny rr nt signs hi v th sir prop rti s th y 
g n r lly 11 into two t gori s signs s on n xisting lo k iph r (or 

oth r ryptogr phi primitiv ) n stom signs rom s r t h. 

usto s utos hrhv n nmro propos Is 

or pr ti 1 s r h sh n tion on th t mits st so tw r impl - 

m nt tions n or whi h it is hop th t th ost o omp ting h sh ol- 

lisions is in si 1 in pr ti iv 90 iv 92 94 95 96 96 . 

V r 1 o th s r in wi spr s . ow v r th g n r 1 sign prin i- 

pl s or ryptogr phi h sh n tions r not w 11 n rstoo . s in th s 

o lo k iph rs in pr ti goo h sh n tion is simply on th t s rviv s 
th rr nt tt ks. nt ollision-fin ing tt ks to o rtin sing 

i r nti 1 ppro hhv ns sslg inst M M 4 n M 5 

o 97 o 96 o 96 . Mor r ntly v n th on -w yn ss o M 4 h s 
n h 11 ng r 97 o 9 . 

On ppro h wo 1 to try to il on xisting primitiv s. or x mpl 

on n on t n t th o tp ts o two i r nt h sh n tions hoping th t th 
two n tions h v in p n ntly (s r 93 2.4.5 n rt in omm r- 

i 1 signs .g. r 95 ). t on s hop is w k n y rsory look t th 

so r o or th pop 1 r h sh n tions n v n mor so y o rtin s 

tt ks on M 4-256 whi h riv s two 12 - it v 1 s in this m nn r o 96 . 

rr nt m tho s to xt n or str ngth n pr vio s signs in 1 th ollow- 

ing in r s th n m r o ro n s ( s in M 5); som o ing or s r m ling 
st ps ( s in -1); in r s th r siz n m k th mixing st p v ry 

with th ro n . 11 o th s r n t r 1 tt mpts to in r s th s rity o 

h sh- n tion sign t n n lysis s on s t o pi si 1 h risti s- 

s mptions wo 1 tt r nh n or onfi n in th r s It. n x mpl o 

s h n ss mption is th i 1- iph r mo 1 or • • • is ss low. 

s u t o s ro rs noth r w 11 st i ppro h (s 

.g. MMO 5 M rk 9 ) s s th sign on n xisting tr st lo k 

iph r. or s rity ss ssm nts oshshmss Mrk 9 97 93. 

( or this n oth r q stions o t ryptogr phi h sh n tions r 93 n 

MO 97 h p. 9 r x 11 nt r r n s.) n ort n t ly th s signs yi 1 

impl m nt tions sing * * * th t r slow r th n M 5 ( or x mpl ) Imost y 
n or rom gnit m king th m n pt 1 or m ny ppli tions. h 
s Imsroth inyo sign s on n - it iph r is its 
fin s th n m r o - it lo ks o t ompr ss p r ppli tions o 

th iph r. ( om tim s s in r 93 r t is s to m n th inv rs o this 

r tio.) On o th s gg stions hr nlsstoinrsthrt signifi ntly 
yi 1 ing pr ti 1 signs. 
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t is ommon to s i liz tions o lo k iph rs s r n om p rm t tions or 

n tions rom ( )- its to - its in th n lysis, n this s on n onstr t 

-itvl s rhsh n tions (s r rns ov).nth so*** 

wh r 64 this yi 1 s 64- it h sh n tions whi h r v In r 1 to simpl 
irth y tt ks. ow v r it is non-trivi Ito onstr t2-itvl s rhsh 
n tions rom mili so -itvl hsh n tions. h 2 - it v 1 h sh 
n tion m st h v lik 2 - it v 1 r n om n tion or p to 2" q ri s 
t th - it primitiv s r n into irth y ollisions ro n 2"/^ q ri s whi h 

pot nti lly o 1 s in n tt k g inst th sign. sol tion or this 

o tp t- o ling pro 1 m w s giv n in 96 . his onstr tion is xp nsiv 
m king ight 11s to th n rlying r n om n tion n h n it is not s it 1 

or pr ti 1 2 - it V 1 ompr ssion n tion. 

h n lysis o o r onstr tion gins y ss ming th t oth o th two 

n tion 1 ompon nts r r n om n tions. his is or th p rpos o prov- 
ing th xist n os r h sh n tions t r th r to x min wh t s rity 

prmtrs n hiv.n ition it motiv t s th w k r ss mptions 

n th n lysis th t ollow. 

1.1 w o stru t o s 

h onstr tions th t w propos first str t h th inp t string mil ly n th n 
ompr ss th r s It o this xp nsion. r w ri fly motiv t this ppro h. 

X s o st Or first st g str t h s th inp t mil ly. will s 

primitiv s th t h v r son 1 on -w yn ss n r n omizing h vior so s to 

o t in n Imost s r ly on -to-on str t h n tion. his trivi lly voi s olli- 
sions in th first st g n Hows s to n lyz this st g sing istri tion 1 

n on -w y prop rti s o th primitiv s w mploy. rth rmor th s prop- 

rti s m k it in si 1 or th v rs ry to or its o tp ts into s t o his 

hoi — or X mpl s t o points or whi h h h s omp t ollisions or th 
s on st g . show how to s pop 1 r h sh n tions lik M 5 or -1 

to o this. r m rk th t in 1 rg r n omn ss t sts with M 4 n M 5 it 
h s n o s rv th t oth n tions h v v ry goo istri tion 1 prop rti s 

V n wh n th y r it r t 96 . 

o r ss o st n o r s on st g w pply ompr ssion n tion. 

his st g o 1 simply s ny nit ollision-r sist nt h sh n tion s h 

s -1 or M -160. n t th s rity o o r onstr tion o s not r - 

q ir ollision r sist n rom th ompr ssion st g . or x mpl n v rs ry 
might fin ollisions or th ompr ssion st g . ow v r th olli ing strings 
m y not in th r ng o th str t h n tion n v n thos th t r will 

h r to inv rt. On th oth r h n i th v rs ry gins y fin ing m ny 

inp t-o tp t p irs or th str t h n tion th n s ss 1 tt k on th whol 

onstr tion m st fin ompr ssion-st g ollisions rom mong this r stri t 

s t o irly r n om points. 

o stru tosus xst r tvs 

n pr ti 1 s tting this work s gg sts w ys to s th h sh n tions th t r 




N w on t u t on fo 



u 



h un t on 



1 3 

rr ntly rok n or p rti lly rok n in s h w y th t w n p n on th ir 
on -w yn ss n r n omn ss or istri tion 1 prop rti s r th r th n ir tly 
on th ir ollision-s rity whi h m y in o t or Ir y viol t . n t 

th r r m ny hoi s or h o th two ompon nts o o r onstr tion n 

th y n om in in p n ntly. 

usto s u t o s stomiz h sh n tions or x mpl 

M 5 -In M -160 n s in ith r or oth st g s o or 

onstr tion. 

th h sh n tion h s its o o tp t th n it n s in th str t hing 
st g s ollows. t most its r n or th inp t to th ompr ssion 

st g th n simply - it lo ks ( ) o inp 1 1 xt to th h sh n tion. 

mor th n its r n or th inp t to th ompr ssion st g w propos 

th ollowing simpl h ining. s th its o o tp t ov s th first its 

0 o tp t o th h ining r 1 . n ition on t n t th s its to th n xt 

its o inp t to th h sh n tion to g t noth r its o o tp t n ontin 

this h ining r 1 s n 

or th ompr ssion st g ny o th s h sh n tions n s ir tly 
on th fix -1 ngth o tp t o th xp nsion st g . 

rmrkhr thtM 4my Iso s i nt or oth st g s. or x mpl 
s not ov th str t hing st g is r q ir to on -w y. Itho gh two 

ronso M 4hv r ntly n inv rt o 9 th inv rs o n is o 

1 ngth 512. ot th t th r r v ry m ny inv rs s (2 2 - 2 ^ v r g 

12 - it o tp t. ow V r M 4 might s in o r str t hing st g to xp n 

or X mpl 0- it inp ts to 12 - it o tp ts. n this s or n ov rwh Iming 
r tion o o tp ts n v rs ry wo 1 r q ir to fin th inv rs . n 

ition with s i ntly r n om n on -w y str t h n tion o r n lysis 
s gg sts th t r q ir m nts or th ompr ssion n tion r onsi r ly r 1 x . 

or X mpl sing tr ly r n om str t h n tion th ompr ssion n tion 

n only h v irly ni orm pr im g str t r . 

u s t u onstr tions s on th s s t-s m n tion my s 

in th str t hing st g . h s s t-s m n tion m y Iso s in th om- 
pr ssion st g s it is known to yi 1 prov ly s r h sh n tions on 

th ss mption th t it is in si 1 to fin Imost short st v tors in 1 tti s 

96 . ow V r th st 1 tti - s tt ks r q it pow r 1 or ing 
th 1 tti s ( n th h n or th impl m nt tion) to r 1 tiv ly 1 rg . 

s gg st som onstr tions in th fin 1 v rsion o this p p r. 

ny • • •- s h sh n tion .g. MMO 5 M rk 9 m y 

s in ith r st g o o r onstr tion in th s m w y s s ri ov 

or stomiz h sh n tions. ow v r sin th s h sh n tions ons m w 
its o inp t p r * * * 11 (i. . th y h v low r t ) th r s Iting h sh n tion 

will n pt ly slow or most pr ti 1 ppli tions. 

n this p p r w propos n w * * *- s onstr tion or th ompr ssion 

st g . s o th prop rti s o th first st g or onstr tion s s only 

two * * * 11s to o t in 12 - it o tp t V 1 . h onstr tion is xtr m ly 

simpl . s in M rk 9 w will s mo ifi orm o*** 11 •••• fin 
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s ollows • • ••( , ) • • • x{ ) (wh r is pot nti lly th 16 * 4 - it 

xp n k y). h o tp t o th str t hing st g is split into two pi s h 

0 whi h is s s p r t ly s th k y to on • • • • 11. h o tp ts o th two 

11s r simply on t n t 

ss ming th t th str t h st g is tr ly r n om n tion n tht***hs 

n Imost r g 1 r pr im g str t r (i. . 11 points in th r ng h v pprox- 

im t ly th s m n m r o k y-pl int xt p irs m pping into th m) w show 
th t this onstr tion is s r (s 3.3). his is signifi nt simplifi tion on 
th r q ir m nts o th primitiv s to s in ompr ssion n tion. h 
s m s h m witho t th r n omizing initi 1 st g is ins r ; to hi v simi- 

1 r s rity wo 1 r q ir mor rigoro sly r n om- n tion lik primitiv s n 

m ny mor 11s to th m ( .g. s in 96 ). 

n m ny iph r- s onstr tions th string to h sh is s s 
k y to n rypt som initi 1 or int rm itvlsothhsh n tion. h 
s l***kysh ling Igorithm str t h s th giv n 56- it k y into 4 16 

its. On w y to improv th r t o * • *- s h sh n tion wo 1 to 

skip th k y-s h ling Igorithm n 16 4 its o inp t t xt ir tly s 

k y. his i is swi tly r on n s th inv rti ility o int rm i t 

ronso*** n mo nt m t-in-th -mi 1 tt k s ollows (s 5 n 
M 1 or r 1 t tt ks). h tt k r n pi k th t xt orr spon ing to 
th k ys or 11 t thr ro n s r itr rily. pi ks th r m ining ro n k ys 
r n omly n xp ts irth y ollision tw n on ro n in th n rypting 
mo n th n xt 1 V 1 in th rypting mo 

Or***- s shm prhps ontrov rsi 1 Hows th thoro ghly r n- 

omiz o tp t rom th first st g to s ir tly n th s to skip th 

k y s h ling Igorithm. his onsi r ly in r s s th r t o th r s Iting 

onstr tion. 

hil this propos 1 1 rly n s st y th r is vi n to s pport th 

1 im th t k ying * * * in this m nn r is s r . point o t th t this is simil r 
to s h ling th ro n k ys in * * * with in p n nt k ys m tho whos 

s rity is los r to xh stiv s r h or th 56- it k y (r th r th n th x- 

t n k y o 1 ngth 16 4 ) in th s ns th t it t k s o t 2® st ps (in 1 ing 
omp t tion 1 ov rh ) y rr nt i r nti 1 tt ks n on m y xp t 
this n m r to som wh t sm 11 r or lin r tt ks. O o rs th k y is 
onsi r hi n or th i r nti 1 tt ks g inst lo k iph r. i r nti 1 

tt ks r r mor n t r 1 in th ont xt o s r h sh n tions sin th 

tt k r n omp t 11 th r q ir inp t-o tp t p irs y hims 1 . n ition 

th tt k r o 1 on iv ly mo nt m t-in-th -mi 1 tt k s on th 

inv rti ility o in ivi 1 ro n s o * * * s is ss ov ; t s h tt ks 
r not ppli Itoor so*** sth vrsryhs littl tiv 

ontrol ov r th k y its. 

X mpl p r m t rs r s ollows w ns r ly str t h 512- it string 

to 16 4 - it string n sthlttrotpts ***ky. hn sing th 

strth otpts ***ky wo 1 tiv ly Ilow s to ompr ss 512 its p r 
* * * 11. ith w 11 optimiz ss m ly-1 ng g impl m nt tions this r s Its in 
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impl m nt tions th t r so m h st r th n st n r * * *- s onstr tions 

th t th y n s in pr ti . low or r n-tim so pr limin ry 

impl m nt tion. 

str ss th t th s on st g is not to riv rom iph r 

n h n or first st g is not m r ly k y s h ling Igorithm. O t n s in 

th s o * * * or ig r th k y s h ling in h sh- n tion sign is r v rsi 1 

tw mnon-wynrn omizing prop rti s in o r first-st g n tion 1 
ompon nt. h r v rsi ility m y mor ppropri t or iph rs wh r th 
k y is h 1 s r t th n it is or h sh n tions wh r th ollision v rs ry n 

hoos th inp ts. O r str t h n tions my t lly str ngth n lo k- iph r 

onstr tions y h Iping to voi w k k ys n r 1 t -k y tt ks; w omit 

t ils h r to o y sp onstr ints. 

ow V r th r r tt ks on pt tions o * * * th t skip th k y-s h 1 r. 

low w point o t how th so str t h n tions n voi th s tt ks. 

ri fly th tt k r m st 1 to hoos som portions o th xt n k y 

ring th tt k whi h is wh t th r n omizing xp nsion st p is sign to 

pr 1 ith ov rwh Iming pro ility th tt k r s hoi o xt n k ys 

will not in th r ng o th first st g n th r is no sy w y to t k 

sm 11 string n xt n it to string lying in th r ng o th first st g . 

li V o r signs r s 1 in pr ti n How th ir s rity to 
n lyz n r xpli itly st t ss mptions on th ryptogr phi primitiv s 
th t w s . in ing th w k st ss mptions s i nt or th onstr tion 
o ollision-r sist nt h sh n tions is n m nt 1 nsolv pro 1 m. O r 
onstr tions r is som r 1 t iss s th t m y h Ip 1 oth or th pr ti 1 

s w 11 s th th or ti 1 point o vi w. os mm riz th str t hing st g 

simplifi s th r q ir m nts on th ompr ssion n tion whi h is rg ly th 
r X o th t sk o signing s r n tions. his is signifi nt in its 1 n 

my t lly 1 to st r onstr tions pon rth r r s r h. 



P r or 

p r orm pr limin ry impl m nt tion to t st th sp o on v rsion o 
o r onstr tion n o n it s rprisingly st omp r to s v r 1 oth r h sh 

n tions. O rt st impl m nt tion on 166Mhz nti m ro ssor s 1 ptop 

omp t r yi 1 v rsion r nning ro n 60M its/s on . r s s ri 

ov w s M 5 or th str t h n tion m pping 96 6 its to 12 6 4 16 

its n or th ompr ssion stgw s th***- s onstr tion pro 

ing 12 - it h sh V 1 s. 

omp r th sp o o r onstr tion oth to M 5 n to * * *- s 

h sh n tions. t st with m ny v ri nts or th * * *- s ompr ssion 

s h m s. h sp r port hr or th s n tions is ov r stim t y s- 
s ming th t th y ons m los to 56 its o inp t p r * * * 11. h sp so 

M 5 o r h sh onstr tion n * * *- s h shing r in th r tio 1 0.43 

0.032. O r t sting i not optimiz or pi t orm- pn ntprmtrss h s 
h siz . h s lly q ot sp r tios tw n M 5 -1 M - 

160 r 1 0.41 0.34 0.13. h s r tios r t st tr t s p- 
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proxim tions sin mnyprmtrs n s ths r tios to v ry mong 

mo rn pro ssors. or x mpl ss m ly o ing n sp p i r nt 1- 

gorithms t i rntrts. hilor*** o ws optimiz o r M 5 impl - 

m nt tion w s str ight orw r on . n th fin 1 v rsion whi h will v il- 
1 rom th thors (or t http://research.microsoft.com/crypto n 
http://www.surety.com/pub/) w sh 11 pr s nt mor t il p r orm n 
n lysis o mor v ri s h m s. 

1.2 rt outoo o stru t o s 

n -A low w s gg st som imp r t r n om-or 1 mo Is n show how 
to il tt r primitiv s rom giv n imp r t on s. n this v in w Iso n - 
lyz how to n g inst ollision-fin ing v rs ry or giv n primitiv y 

il ing in p n nt primitiv s. 



will o t n mo 1 n tions s r n om n tions. r n om n tion h s th 
ollowing prop rty. h n it is v 1 t on n inp t ( ss m to i r nt 

rom 11 oth r inp ts th s v 1 t sin th r is no n to v 1 t th 

n tion mor th n on on th s m inp t) th o tp t is ni ormly istri t 
n in p n nt o 11 o tp t v 1 s th s r. 

fix on ing n tion ( ) ( .g. 2 • ”) n this will orr spon to o r 

notion o n in si 1 mo nt o r so r s ( .g. r n-tim or m mory). 11 

n tions ( .g. r n-tim s) low r- o n y ( ) n n tions th t 

r sm 11 r th n 1 ( ) . 11 pro iliti s o th orm 1 — 1 ( ) 

n tion m pping its to its is s i to yi is i ntly 

omp t 1 ( .g. in polynomi 1 tim ) n giv n ( ) wh r is r n omly 

hos n ny inv rting Igorithm with (()) tkstlst tim ( ) 

with ov rwh Iming pro ility (ov r ). n ition i n or ny ( - 

V rs ry s ollision-fin ing) Igorithm C s ss 1 x tion C( , ) ( > ^ 

s tis ying ( ) ( ^ t k s tim t 1 st ( ) th n w 11 this n tion 

c . or orm 1 finitions n impl m nt tions s on v rio s 

ss mptions s m 7 M rk 9 Y 90 ; in ition r 93 MO 97 r x- 
11 nt r r n s or this topi . t is not known wh t is th w k st ss mption 

n r whi h on n onstr t ollision-r sist nt h sh n tions. 

iv n fix -1 ngth ollision-r sist nt c cm pping - 

it inp ts to - it o tp ts ( ) on n il ollision-r sist nt h sh 

n tion fin on r itr ry-1 ngth inp ts ollowing th onstr tion o M rkl 
M rk 90 n mg r m 9 . ssign fix - it initi 1-v 1 string V 

n giv n n inp t 2 t ( orm tt with M rkl - mg r str ngth- 

ning i. . with ppropri t p ing to n o th 1 ngth o th t xt s 
lo ks o 1 ngth — )ltthvlo () fin s ollows V; 

i g{ i- , i) 1 — — ; ( ) f h s w will on ntr t h r on 

n lyzing fix -1 ngth ollision-r sist nt ompr ssion n tion 
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t r s ri ing o r n w onstr tion (in -3.1) w pro to n lyz its s - 
rity first y ss ming th t its ompon nts r tr ly r n om n tions o th 

ppropri t 1 ss (-3.2) n th n y w k ning th s ss mptions (-3.3). his 

n lysis tr ts th prop rti s o or onstr tion o ryptogr phi h sh n - 

tion with fix -1 ngth inp ts. 

3.1 t o 

O r onstr tions first str t h th inp ts n pply ompr ssion n tion n xt. 

s ri th r q ir m nts on th s n tions t r pr s nting som r tion 1 

or str t hing. 

ur tr t u t o s intro th s o c c c 

whi h mil ly in r s th inp t 1 ngths or th p rpos s o onstr ting 

h sh n tions. c c m ps - it inp ts into 2 it inp ts wh r 

2 . h inp t strings to will not y n th o tp t strings will 

not y th p ir , . n orm lly th y s tis y 

On -w yn ss giv n ny ( ) it is h r to fin ny “s h th t ( ^ 

O tp ts o h V si is lo lly r n om (i. . -wis in p n nt or 
som 1). 

n r th r n omizing on itions w pos on s o tp ts is n inj tiv 

n tion on n ov rwh Iming r tion o th inp ts i 2 — is 1 rg no gh. 

O r finition o on -w yn ss is Iso known s pr im g r sist n . 

o r ss o u t o s h o tp ts o th s str t h n tions ( long 

with 2 - it ) r into ompr ssion n tion rom (2 2 ) its to 

2 its. will onsi r th first 2 its o inp t s k y. h r m ining 2 
its o inp t will not y th p ir , “ n th o tp t y , O r ov r 11 
ompr ssion n tion will not y whi h ompr ss s - it strings to 

2 - it strings, t is fin s ollows 

() fti,-) 

hil th r r m ny inst nti tions or th on w will on ntr t on is 

s ollows. L t not ompr ssion n tion rom its own to its. 

h first its o inp t o will onsi r k y. or now w will fin 

k,k{ 1 ) k{ ), k{ )■ 

nor impl m nt tions w s mo ifi orm o*** sor n tion (^ 
n m ly k { ) • • ••( , ) * **/f( ) - ( , ) wh r ( , ) r pr s nts 

som simpl n tion o n . ( or x mpl ( > ) w s s gg st in 

MMO 5 M rk 9 .) 

ot th t in this s th h sh v 1 is 12 its n to r sist th tt ks 
to V n Oors hot n i n r vO 94 192- it h sh v 1 s m y n . t is 
sy to g n r liz o r r s It to 192 its y sing thr 11s to th n rlying 

iph r. his will ov r in th ompl t v rsion o th p p r. 
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utt rfl o r ss o fin v ri tion on th ompr ssion n - 

tion ov th tt rfly ompr ssion s ollows 

k,k( > ) ) ~ ( ) )> k( ) ~ ( > )> 

wh r n r ppropri t ly hos n n is v ry simpl to omp t (or 

X mpl ( , ) )• his V ri tion pp rs to in r s th ompl xity o th 

tt ks sing inv rsion Igorithms. n th fin 1 v rsion o this p p r w pr s nt 
n n lysis o this s h m . 

3.2 s s ssu • *r o utos 

gin o r n lysis o y ss ming th t n r r n om n tions. 

1. c c c 

2 c y 

c yO{^ 22") 

Proo ny v rs ry whi h m k s tot 1 o q ri s in s m to n n 

o no tt r th n n v rs ry whi h m k s q ri s to oth n . will 

th s n lyz th 1 tt r typ o v rs ry. 

to th t th t oth n r r n om n tions it is sy to show th t 
th V rs ry m ximiz s its h n s o fin ing ollision y sing th o tp ts o 

its q ri s to s th inp t to its q ri s to . to sp limit tions w omit 
this rg m nt h r . o ss m th v rs ry m k s q ri s to to pro 
{( i, i)~ s w 11 s {( “*)- 1 - - wh r i fc. ( ) n “i j.. (“). 

will ss m th t — . ix p ir o q ri s n 1 — , — n 

Its 1 1 t th pro ility th t this p ir o q ri s yi 1 s ollision i. . 
th t ( i, “i) ( i) ~j)- hr r or isjoint s s. 
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ssu • s r o • s ost r u r 

now ss m h v s lik r n om n tion. O r go 1 is to show th t it is 
s i nt to h V som ss mption on th istri tion o th n m r o inv rs s 
longing to point in th r ng o . fin S'a;( ) { — k{ ) — L t 

x{ ) Sx{ )— or ny fix not th t y x{ ) 2™ so th t th v r g 

V 1 o ^( ) ov r 11 th V 1 so is 2™-”. fin ^( ) ^( ) 2™"” n 

o s rv th t y x{ ) 2”. 



t o 2. y 



( - 2^ 



his on ition is q iv 1 nt to th ollowing L t 
r ng hos n with pro ility 2“". hn or rn omly 



r n om point in th 
hos n ( a;( )2) 



or r n om n tion th v 1 o is onst nt with high pro ility. ot 
th t r q iring n tion to -r g 1 r_is w k r on ition th n r q iring 
th t h 2 ,( ) 1 ss th n or q 1 to ( or x mpl (1 (l))-r g 1 r 

n tion might hv sy vl so with ) or som v 1 o ). 

or 3. c c 

y c y 

0 { 2 2 22 ") 

Proo ss m th v rs ry m k s q ri s. ix n n onsi r th -th 
n -th q ri s. h n 
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o it ollows th t r n omn ss prop rti s o r s i nt to w k n th 
r q ir m nts on onsi r ly. Iso not th t th o tp ts o n not 
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wor o tion is w rr nt hr. no on -w yn ss prop rti s on r 

impos oth r th n th g n r y on ition th n on m st r 1 o t 
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Proo ppos n v rs ry r nning in tim fin s ollisions on .hr r 
thr s s. 

si h V rs ry fin s ollision on . y ss mption this h pp ns 
with pro ility t most ( (2 ) (2 ))^. 

s 2 h V rs ry fin s p rti 1 ollisions o . or h with k 1 

th V rs ry will g t ollision on n h v pro ility o ollision on “ t 

most 2“" n n logo s st t m nt hoi s or h with ^ 1. o in this 

s th pro ility o ollision on th o tp t is 2“" y ss mption ^ 
X s with pro ility t most n this so rs with pro ility 

t most “ 2”. 

s 3 h V rs ry fin s no ollisions or p rti 1 ollisions on . in is 

r n om n tion th pro ility o ollision is ^ 2^" wh r is th n m r 
o inp to tp t p irs o omp t y th v rs ry. in is Iw ys on 

rom ov y this yi 1 s n pp r on on th pro ility or this s o 

( 2")2. R 



r w s gg st simpl onstr tions n h risti s to onstr t n w h sh n - 

tions sing th ol on s so th t th n w on my hr to r k v n i on 

or mor o th ol on s om n r tt k. 



.1 o os t o 
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r tion o th inst ns ( ) wh r is r n omly hos n - it string, 

he C 2 /ohshn tion is low r on J ( ) on th tim 

r q ir to fin two inp ts n 2 s h th t ( ) ( 2 )- first 1 im 

th t th ov onstr tion t 1 st pr s rv s s rity. ot th symm try w 
n not know whi h o th n tions is mor s r ith r with r sp t to 
ollisions or with r sp t to inv rsion. 
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Proo n i ( ) ( 2 ) is ollision or th n w g t g- ollision 

t g{ ) 5( 2 ) n n - ollision t ( > ) ( ; 2 )- imil rly or 

th inv rsion s rity. R 

t s ms to ss nti 1 to s twi in this onstr tion. h inv rsion 

s rity o is n v r mor th n twi th m xim m o th two. n th r n om- 

n tion mo 1 th omposition o two n tions s lly s s mor ollisions 

whi h m k s it sy to isting ish omposition rom tr ly r n om n - 
tion; how v r h r w r int r st in th i Ity o fin ing ollisions. in 
th n m r o ro n s in is th s m o th ro n s in n g on wo 1 
h risti lly xp t th r s It nt n tion to strong r. 

ow w wo 1 lik to o t in n (/ th t h v s i th y w r in p n- 

nt. th n tions h v Imost lik r n om n tions th n o o rs 
th onstr tion wo 1 s r . w nt to provi orm 1 kgro n or 
n lyzing this, or this w s th mo 1 o c c or th 

primitiv s. ny xisting primitiv with n stim t s rity ( 1 1 st rr ntly) 
n tho ght o s n imp r t r n om n tion with ppropri t p r m - 
t rs. or this w fin two m s r s. irst w onsi r simpl r ( t mor 

r stri tiv ) it-1 v 1 p r m t r. fin th o ool n-v 1 r n om 

V ri 1 to r 1 . 

to. c c 

0 - - 1 

1 ss to s y onsi ring th in ivi 1 its to in p n nt is 1 ss r 1- 

isti t it giv s s mor r son 1 h risti th n th p r t r n om n tion 

mo 1. h s n tions r sily isting ish rom tr ly r n om n tions ( or 
— 2 )mrly yos rving th r tion o 1 s in th o tp t strings, onsi ring 
th o tp t s whol w m k th ollowing finition. 
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r th y o so r th t o tp ts strings , , n with r - 

sp tiv pro iliti s , , Afisminj— Ig j— ot th t th in ivi 1 its o 

th V 1 so n -imp r t n tion n orr It n th y m y not look t 
Urn om. ow v r wh n it om s to ollision s rity -imp r t n tions 

r goo no gh igh min- ntropy is n ss ry on ition or s r h sh 

n tion; or x mpl i th min- ntropy is low th n m h o th pro ility 
my on ntr t in sm 11 s t n it wo 1 to sy to fin ollision. 
t th on ition is Iso s i nt s shown y L mm 11 low. 

O vio sly -r n om n tion is ( )-imp r t. 
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Proo L t n -imp r t n tion. string 

with pro ility Othnw hv — Ig — 
onsi r ollision v rs ry th t m k s q ri s to 

r n om v ri 1 s , , q t king r sp tiv v 1 s 

rn. h xpt nmro olli ing p irs is 



o rs s n o tp t o 
or — 2“^”. n now 
whi h w mo 1 s th 
, , q in p rti 1 r 



r i 
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n th xp t nmro ollisions is t most ^2 
ollision s rity o is t 1 st 2^”/^ s 1 im . R 



.2 o stru t o o “ t Pr tvs 

On w y to vi w th ov onstr tion is th t it t k s two imp r tly r n om 

n tions n yi 1 s n tion th t is los r to ing tr ly r n om n tion. 

ow r s this n onsi r th ollowing onstr tion 

■( ) ()- 5 () 

t is r 1 tiv ly sy to n lyz th onstr tion t it 1 v 1 in th r n om- 
n tion mo 1. 

12 . g c —g 

4-2 - (1-2 )2 

Proo n r two in p n nt ool n v ri Is oth with is th n 

— hsis 2(1— ) n s tisfi s 4 — 2 — (1 — 2 )^. R 

ool n V ri 1 with is h s g p tw n th pro iliti s o o r- 

rn ol n Oo (1— )— 4 — 2— h signifi n o this 1 mm is th t 

th g p n rrows q r ti lly s w p ss rom or ^ to — g. h s or ny 

t r it r tions o this pro ss with in p n nt n tions n rrows th g p to 
4 - 2 . 

ow V r this onstr tion o os not Ilow s to m k 1 im s in 

th ov 1 mm wh n w mov rom th i liz r n om- n tion worl to 

ompl xity-th or ti worl wh r th n tions involv r sp ifi pr s m ly 

ollision-s r n tions. h t is yo n not show th t is ollision-s r 

i or g is. ow v r in n imp r t r n om n tion mo 1 it is sy to show 

th ollowing. 

iv n two imp r t r n om n tions ngth xpt nmro 
q ri s to fin ollisions or n is th s m in oth s s. h s th 
onstr tion or is tt r in th t it Hows s to n lyz its s rity oth in 
th ompl xity n in th r n om- n tion worl s. t w now show th t th 

onstr tion h s th s rprising r s It o r ting in p n n . 
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,gs -1 M 5 n oth r rok n th n wo 1 still n m ny 11s 
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ount p n yst ms 



n V s ty of 1 fo n k 1 y 



nthspp w s uss s th m h n sms us y 

1-wo 1 s u syst ms to g n t yptog ph k ys, n t 1 z t on 
V to s, “ n om non s, n oth v In s ssum to n om. 
gu th t s th own un u typ of yptog ph p m t v , 

n shoul n lyz s su h. p opos mo 1 fo s, s uss 

poss 1 tt ks g nst th s mo 1, n monst t th ppl 1 ty of 
th mo 1 ( n ou tt ks) to fou 1-wo 1 s. los w th 

s uss on of 1 ssons 1 n out s gn n us , n f w 

op n u st ons. 



t is h r to im gin w 11- sign ryptogr phi ppli tion th t o sn’t us 

r n om num rs ssion k ys initi li tion v tors s Its to h sh with 
p sswor s uni u p r m t rs in igit 1 sign tur op r tions n non s in 
proto ols r 11 ssum to r n om y syst m sign rs n ortun t ly 
m ny ryptogr phi ppli tions on’t h v r li 1 sour or 1 r n om 
its su h s th rm 1 nois in 1 tri 1 ir uits or pr is timing o ig r 
ount r li ks K85 u 85 gn88 i 92 nst th y us ryptogr phi 
m h nism 11 s u o- n om Num r nr tor ( N ) to g n r t 

th s V lu s h N oil ts r n omn ss rom v rious low- ntropy input 

str ms n tri s to g n r t outputs th t r in pr ti in istinguish 1 

rom truly r n om str ms 86 L 93 94 94 lu94 ut98 

n this p p r w onsi r Ns rom n tt k r’s p rsp tiv is uss 

th r uir m nts or Ns giv si mo 1 o how su h Ns must work 

n try to list th possi 1 tt ks g inst N s p i lly w onsi r w ys 

th t n tt k r m y us giv n N to il to pp r r n om or w ys 

h n us knowl g o som N outputs (su h s initi li tion v tors) to 
gu ss oth r N outputs (su h s s ssion k ys) 

ot th t “ n om s wo th t s s ly m sus . n th s p p , uni ss w s y 

oth w s , th my ssum th t “ n om v lu s on s mpl of n om 

V 1 wh h s un fo mly st ut ov th nt s t of • - t v to s, fo som 



u y 
O 



t 



tw 



y t 



3 
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to o u t 

his r s r h h s import nt pr ti 1 n th or ti 1 impli tions 

1 N is its own kin o ryptogr phi primitiv whi h h s not so r 

n X min in th lit r tur n p rti ul r th r o sn’t s m to 

ny wi spr un rst n ing o th possi 1 tt ks on N s or o th 

limit tions on th us s o iff r nt N signs tt r un rst n ing 
o th s primitiv s will m k it si r to sign n us N s s ur ly 

2 N is singl point o ilur or m ny r 1-worl ryptosyst ms 

n tt k on th N n m k irr 1 v nt th r ul s 1 tion o goo 
Igorithms n proto ols 

3 ny syst ms us ly- sign N s or us th m in w ys th t m k 

V rious tt ks si r th n th y n r w r o v ry littl in th 

lit r tur to h Ip syst m sign rs hoos n us th s Ns wis ly 

4 pr s nt r suits on r 1-worl N s whi h m y h v impli tions or 

th s urity o 1 ryptogr phi syst ms 

2 to r 

n tion 2 w n our mo 1 o N n is uss th s t o possi 1 

tt ks on N s th t t this mo 1 n tion 3 is uss ppli tions o 

thos tt ks on s V r 1 r 1-worl Ns h n in tion 4 w n with 

is ussion o th 1 ssons 1 rn n onsi r tion o som r 1 t op n 
pro 1 ms 



n th ont xt o this p p r N is ryptogr phi Igorithm us to 

g n r t num rs th t must pp r r n om x mpl s o this in lu th N 
9 17k yg n r tion m h nism N 85 n th 2 0 N 94 

N hs srtstt pon r u st it must g n r t outputs th t 

r in istinguish 1 rom r n om num rs to n tt k r who o sn’t know 
n nnot gu ss n this it is v ry simil r to str m iph r ition lly 

how V r N must 1 to It r its s r t st t y pro ssing input v lu s 
th t m y unpr it 1 to n tt k r N o t n st rts in n st t th t 

is gu ss 1 to n tt k r (usu lly unint ntion lly) n must pro ss m ny 

inputs to r h s ur st t om tim s th input s mpl s r pro ss h 

tim n output isgnrt g N 9 17 0th r tim s th input s mpl s 
r pro ss s th y om v il 1 g 2 0 N 

Not th t th inputs r int n to rry som unknown (to n tt k r) 
in orm tion into th N h s r th v lu s typi lly oil t rom phy- 
si 1 pro ss s (lik h r riv 1 t n i s 94 ) us r int r tions with th 
m hin im95 or oth r xt rn 1 h r -to-pr i t pro ss s ypi lly syst m 

impl m nt rs n sign rs will try to nsur th t th r is sufR i nt ntropy in 

th s inputs to m k th m ungu ss 1 y ny pr ti 1 tt k r 
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Not th t th outputs r int n to st n in or r n om num rs in 

ss nti lly ny ryptogr phi situ tion ymm tri k ys initi li tion v tors 
r n om p r m t rs in sign tur s n r n om non s r ommon ppli- 

tions or th s outputs 

igur 1 or high-1 v 1 vi w o N Iso igur 2 r n s th 

t rminology it n igur 3 shows N with p rio i r s ing 

N s r typi lly onstru t rom oth r ryptogr phi primitiv s su h 
s lo k iph rs h sh un tions n str m iph rs h r is n tur 1 t n- 

n y to ssum th t th s urity o th s un rlying primitiv s will tr nsl t 

to s urity or th N 

n this p p r w onsi r s v r 1 n w tt ks on Ns ny o th s 
tt ks m y onsi r som wh t mi ow v r w li v th r r 

situ tions th t ris in pr ti in whi h th s tt ks r possi 1 ition lly 

w li V th t V n tt ks th t r not u u pr ti 1 shoul rought to 

th tt ntion o thos who us th s N s to pr v nt th N s’ us in n 
ppli tion th t How th tt ks 

Not th t in prin ipl ny m tho o istinguishing tw n N outputs 
n r n om outputs is n tt k; in pr ti w r mu h mor out th 

ility to 1 rn th V lu s o N outputs not s n y th tt k r n to 

pr i t or ontrol utur outputs 



1 k- ox vi w o N 




u 


r t 


t 


o 


tt 


k 






r t 


r t 


t tt 


k 


h 


n n tt k r is ir 


tly 1 


to is- 


tinguish 


tw n 


N outputs 


n r 


n om outputs this 


is ir 


t ryp- 


t n lyti 


tt k 


his kin o 


tt 


k is 


ppli 1 to most 


ut not 


11 us s 


0 N 


s or 


X mpl 


N 


us 


only to g n r t 


tripl - 


k ys 



m y n V r vuln r 1 to this kin o tt k sin th N outputs r 
n V r ir tly s n 
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2 i w o int rn 1 op r tions or most N s 




2 ut tt k n input tt k o urs wh n n tt k r is 1 to 

us knowl g or ontrol o th N inputs to rypt n ly th N 

i to istinguish tw n N output n r n om v lu s 

nput tt ks m y urth r ivi into w u r m n 

u tt ks hos n input tt ks m y pr ti 1 g inst sm rt- 
r s n oth r t mp r-r sist nt tok ns un r physi 1/ rypt n lyti t- 
t k; th y m y Iso pr ti 1 or ppli tions th t in oming m ss g s 

us r-s 1 t p sswor s n twork st tisti s t into th ir N s ntropy 

s mpl s pi y -input tt ks r lik ly to pr ti 1 in th s m situ - 

tions ut r uir slightly 1 ss ontrol or sophist! tion on th p rt o th 
tt k r Known-input tt ks m y pr ti 1 in ny situ tion in whi h 
som o th N inputs int n y th syst m sign r to h r to 
pr it turn out to sily pr i t in som sp i 1 s s ( n o vious 

X mpl o this is n ppli tion whi h us s h r - riv 1 t n y or som o 

its N inputs ut is ing run using n twork riv whos timings r 

o s rv 1 to th tt k r ) 

3 t t o ro xt o tt k st t ompromis xt nsion 

tt k tt mpts to xt n th v nt g s o pr viously-su ss ul ffort 

ththsrovr s rs possi 1 uppos th t or wh t v r r son 
t mpor ry p n tr tion o omput r s urity n in v rt nt 1 k rypt - 
n lyti su ss t th v rs ry m n g s to 1 rn th int rn 1 st t 
t som point in tim st t ompromis xt nsion tt k su s wh n 

th tt k r is 1 to r ov r unknown N outputs (or istinguish thos 

N outputs rom r n om v lu s) rom or w s ompromis or 

r ov r outputs rom trth N hsollt sun o inputs 
whi h th tt k r nnot gu ss 

t t ompromis xt nsion tt ks r most lik ly to work wh n N is 

st rt in n ins ur (gu ss 1 ) st t u to insufh i nt st rting ntropy 
h y n Iso work wh n h s n ompromis y ny o th tt ks 
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in this list or y ny oth r m tho n pr ti it is pm nt to ssum 

th t o sion 1 ompromis s o th st t m y h pp n; to pr s rv th 
ro ustn ss o th syst m Ns shoul r sist st t ompromis xt nsion 
tt ks s thoroughly s possi 1 

( ) ktr k tt k ktr king tt k us s th ompromis o 

th N st t t tim to 1 rn pr vious N outputs 
()r toro ttk p rm n nt ompromis tt k 

0 urs i on n tt k r ompromis s t tim 11 utur n p st 
V lu s r vuln r 1 to tt k 

()trtv u ttk n it r tiv gu ssing tt k us s know- 

1 g o t tim n th int rv ning N outputs to 1 rn 

t tim + wh n th inputs oil t uring this sp n o tim r 
gu ss 1 ( ut not known) y th tt k r 
( ) t t tt k m t in th mi 1 tt k is ss n- 

ti lly om in tion o n it r tiv gu ssing tt k with ktr king 
tt k Knowl go t tim s n +2 How th tt k r to r ov r 

t tim + 

w 

n this s tion w is uss th str ngths n w kn ss s o our r 1-worl N s 
th N 9 17 N th N th N n ryptoLi 



h N 9 17 N N 85 h96 is int n s m h nism to g n r t 

k ys n s using tripl - s primitiv (O ours it is possi 1 to 
r pi tripl - with noth r lo k iph r)ths nus s gnrl- 
purpos N in m ny ppli tions 

1 is s r t tripl - k y g n r t som how t initi li tion tim t 
must r n om n us only or this g n r tor t is p rt o th N ’s 
s r t st t whi h is n V r h ng y uy N input 

2 h tim w wish to g n r t n output w o th ollowing 

( ) . . ( urr nt tim st mp) 

( ) output . ( . s ) 

( ) s +1 • ( • output ) 

his g n r tor is in wi spr us in nking n oth r ppli tions 

r t r t t tt k ir t rypt n lysis o this g n r tor pp rs 

to r uir rypt n lysis o tripl - (or wh t v r oth r lo k iph r is in us ) 
s r s w know this h s n v r n prov n how v r 
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ut tt k h 9 17 N h s rti tion 1 w kn ss ( ssu- 

ming 64- it lo k si ) with r sp t to r pi y -input tt ks 

n tt k r who n or th v lu s to r n istinguish th N ’s 

outputs rom r n om outputs t r s ing out 2^ 64- it outputs n s u n 
o r n om 64- it num rs w woul xp t to s ollision t r out 2^ 

outputs ow V r with ro n w xp t ollision rom 9 17 to r uir 

out 2®^ outputs his is mostly mi w kn ss ut it m y r 1 v nt 

in som ppli tions 

0th rwis knowl g or ontrol o inputs o s not pp r to w k n th 

N g inst n tt k r th t o sn’t know 

t t o ro xt o tt k h 9 17 N os not prop rly 

r ov r rom st t ompromis h t is n tt k r who ompromis s th 9 17 
tripl - k y n ompromis th whol int rn 1 st t o th N rom 

th n on without mu h ition 1 ffort 

w w h r r two fl ws in th N 9 17 N 

th t om pp r nt only wh n th N is n ly with r sp t to st t 

ompromis xt nsion tt ks 

1 Only 64 its o th N ’s st t n v r ff t y th N 

inputs his m ns th t on n tt k r h s ompromis th N n 
n V r ully r ov r v n t r pro ssing sun o inputs th tt k r 

oul n V r gu ss 

2 h -|- 1 V lu is un tion o th pr vious output th pr vious . 

n o n tt k r who knows rom pr vious st t ompromis n 

knows th si prop rti s o th tim st mp us to riv . -I- 1 is 

simply not v ry h r to gu ss 

r r r r r w Ou 

u onsi r n tt k r who 1 rns uhltr trth s int r- 

n 1 V ri 1 h s om tot lly iff r nt h is giv n two su ssiv outputs 

output + 1 ( h s not s n ny int rv ning outputs rom th N ) h 

tt k r’s go 1 will to 1 rn th v lu o s -1-1 O ours on n trivi lly 

mount 64- it s r h n 1 rn th s v lu 

ow V r th r is mu h mor ff tiv w y to mount this tt k uppos 

th t h tim st mp v lu h s t n its th t r n’t Ir y known to th tt k r 

( his is r son 1 ssumption or m ny syst ms or x mpl onsi r 

millis on tim r n n tt k r who knows to out th n r st s on wh n 
n output wsgnrt ) nttkr with two su ssiv outputs n mount 
m t-in-th -mi 1 tt k to is ov r th int rn 1 s v lu r uiring out 

2 tri 1 n ryptions un r th known k y his works us w h v 

s 4-1 . (output 4- 1 ) 

s 4-1 . (output .) 

h tt k r tri s 11 possi 1 v lu s or . n orms on sort list o possi 1 
s 4- 1 V lu s th n tri s 11 possi 1 v lu s or . n orms noth r 
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sort list o possi Is + 1 v lu s h orr t s + 1 v lu is th on 

th t pp rs in oth lists 

r u n tt k r knows s n s s som un- 

tion o output +lh nlrns +lin Imost 11 s s his is tru 

us th tim st mp s mpl will s 1 om h v mu h ntropy sing our rli r 
ssumption o t n its o ntropy p r tim st mp s mpl this m ns th tt k r 
will n only t n- it gu ss Not th t th tt k r n s only to s u 
o th output not th output its 1 his m ns th t m ss g n rypt with 

k y riv rom th output v lu is sufR i nt to mount this tt k (Not th 

iff r n tw n this n th p rm n nt ompromis tt k ov in whi h 
th ttkrn srw N outputs ) 

r h tt k r n mov kw r s s sily s orw r with th 

it r tiv gu ssing tt k ssuming h n n un tions o th N outputs 

It rn tiv ly h m y look or th su ssiv p ir o ir tly v il 1 N 
outputs n r st to th unknown outputs h w nts to 1 rn n mount th 

p rm n nt ompromis tt k th r 

om tim s N mygnrt Irgsrt 

V lu n not ir tly output ny its o it h tt k r m y thus know s 

ns +8 ut no int rv ning v lu s in this 1 vs him with (s y) 80 

its o ntropy it might n iv ly ssum th t h nnot r ov r th s output 

V lu s ow V r this isn’t n ss rily th s us m t-in-th -mi 1 

tt k is V il 1 his works s ollows 

1 h tt k r mounts th tt k s ri ov to 1 rn th N st t 

or n t r th run o v lu s th t w r us tog th r 

2 h tt k r rri s out m t-in-th -mi 1 tt k riving on s t o 

possi 1 V lu s or s -f- 4 y gu ssing . ... n riving s on list 

y gu ssing .... h s u n o our tim st mps hoi s 40 its o 

ntropy this will r uir 2 ffort h orr t v lu o s -f 4 will 
pr s nt in oth lists so th s -1- 4 v lu s th t m t h (th r will out 
2 ® o th s ) yi 1 th possi Is u n s o tim st mps n thus output 
lo ks 

3 h tt k r n try 11 th s possi 1 output suns until h n s th 

right on ( or x mpl i th ight output lo ks r us s n n ryption 

k y 2 ® tri 1 ryptions will sufH to limin t 11 th Is 1 rms ) 

r r M n th ov is ussion w h v ssum th t in ivi u 1 

N inputs h V x mounts o ntropy n thus t k x mounts o 

ffort to gu ss n pr ti this usu lly won’t th s n k yp ir 

g n r tion might r son ly us two 512- it ps u or n omst rting points thus 
r uiring tot 1 o sixt n N output r u sts ow v r th s 11s will 
Imost rt inly m in r pi su ssion nl ss th tim st mp on whi h 
th . V lu s r s h s gr t 1 o pr ision m ny o th s . v lu s 
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will s on th s m or V ry los tim st mp v lu s his m y w 11 m k 
m t-in-th -mi 1 tt ks pr ti 1 v n though it might norm lly m k s ns 
to stim t t 1 st thr its o unpr i t ility p r tim st mp 

u r h N 9 17kygnr tor pp rs to irly s ur rom 11 
tt ks th t involv ith r stopping th tim r us or ompromising th 

int rn 1 tripl - k y pi ying ny tim r input out 2^ tim si s to 

rti tion 1 w kn ss w y to istinguish 1 rg num rs o 9 17 N 

outputs rom truly r n om sun o its ompromising th int rn 1 tripl - 
k y ompl t ly stroys th 9 17 N it n v r r ov rs v n t r 

g tting thous n s o its worth o ntropy in its s mpl tim r inputs 

or syst ms th t us 9 17 th most o vious w y to r sist this 1 ss o 

tt k is to o sion lly us th urr nt 9 17 st t to g n r t whol n w 

9 17 st t in lu ing n w n n w st rting 0 

3 2 

h igit 1 ign tur t n r sp i tion N 94 Iso s ri s irly 

simpl N s on (or It rn tiv ly onstru tion) whi h w s 

int n or g n r ting ps u or n om p r m t rs or th sign tur Igo- 

rithm in this g n r tor pp rs to om with n N st mp o pprov 1 it 

h s n us n propos or ppli tions uit iff r nt th n thos or whi h 

it w s origin lly sign 

h N Hows n option 1 us r input whil g n r ting k ys ut 

not whil g n r ting sign tur p r m t rs or our purpos s though w 

will ssum th t th N n giv n us r inputs t ny tim s is tru with 

th oth r N s is uss in this p p r h tim th N g n r t s 

n output it m y provi with n option 1 input . Not th t omitting 
th input rom th N sign woul gu r nt th t th N oul n v r 
r ov r rom st t ompromis 

11 rithm ti in this N is How to on mo ulo 2‘ wh r 160 
512 n th r m in r o this o um nt w will ssum this mo ulus to 



s ypto-|— f 1 y 97 n lu s n mpl m nt t on of 9.17 v nt 

w th n s s u ty g nst s omp om s tt ks. h t v nt s 

u nt t m st mp). 

2. output •=•.(•.• s • ). 

3. s • -I- 1 =•.(•. • output • ). 

h s o spon s to n ypt ng th t m st mps n mo , nst of n 

mo s s on n th st n 9.17 g n to . h t m st mp s s on th 

p og m s us g , n ts solut on s pi tfo m- p n nt; on L nux, t h s 

0.01 s on solut on. h v not x m n th s los ly, ut w not th t 

ou p m n nt omp om s tt k, ov , n xt n to wo k on ypto-|— I- s 

9.17 V nt t ost of u ng 2® s h n th tt k 
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160 sin this is th w k st v lu (with r sp t to on tt k) th t is How 

y th sign 

h N works s ollows 

1 h N m int ins n v r- h nging st t 

2 h N pts n option 1 input . his m y ssum to ro 

i not suppli 

3 h Ngnrts h output s ollows 

( ) output h sh( . + . mo 2 

( ) . . + output + 1 (mo 2 

r t r t t tt k th N ’s h sh un tion is goo th n 
th r suiting output sun pp rs to h r to istinguish rom r n om 
sun t woul ni rom syst m sign r’s point o vi w to h v som 

proo o th u lity o this N ’s outputs s on th ollision-r sist n or 
on -w yn ss o th h sh un tion; to our knowl g no su h proo xists 

ut tt k onsi r n tt k r who n ontrol th inputs s nt 

into th s inputs r s nt ir tly in th r is str ight orw r w y to 

or th N to r p t th s m output or v r his hs ir trlvn 
i this N is ing us in syst m in whi h th tt k r m y ontrol som 

o th ntropy s mpl s s nt into th N o or th N to r p t th 

tt k r orms 

. — — output — 1 — 1 (mo 2 

his or s th s v lu to r p t whi h or s th output v lu s to r p t 
Not how V r th t this tt k ils ui kly wh n th us r h sh s his ntropy 
s mpl s or s n ing th m into th N n pr ti this is th n tur 1 w y 

to pro ss th inputs n so w susp t th t w syst ms r vuln r 1 to this 

tt k 

t t o ro xt o tt k h No sn’t h n 1 

st t ompromis s s w 11 s w might h v lik ut it is mu h tt r in this 
r g r th n N 9 17 onsi r n tt k r who h s som how ompromis 
th ntir int rn 1 st t o th N ut th n lost tr k o its inputs n 
outputs or long p rio nough ntropy xist in thos s mpl s th n th 
N will om s strong s v r g inst tt k 

u ust s with N 9 17 th N 1 ks th ff ts 

o ungu ss 1 inputs in its output onsi r n tt k r who h s ompromis 

th N ’s st t h ppli tion s in n input th t th tt k r n’t gu ss 

( g s mpl with 90 its o ntropy) th tt k r s s th n xt output h 

o sn’t n to gu ss th s mpl us th only ff t on utur outputs this 

s mpl n h V is through th t output Not th t i th n w . p n 
ir tly on . n . this w kn ss woul n’t xist n tt k r who kn w th 

st t oul still try u th ntropy s mpl ut i h i not gu ss th right 

V lu h woul los knowl g o th st t 
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r u his N is vuln r 1 to n it r tiv gu ssing 

tt k t r th st t h s n ompromis h t is i n tt k r knows 
n knows th t . h s only 20 its o ntropy h n mount 2 ° s r h n 

h V list o 2 ° 160- it outputs on o whi h is output Not th t th tt k r 

n s only un tion o th output thth nhksuhs sign tur 

m with output sitss rtprmtrvlu Not Iso th t knowl g o 
th orr t V lu or output Iso uni u ly t rmin s th v lu o 

r n tt k r knows . n output — 1 th n h is 1 rly 1 

to ktr k to knowl go his o sn’t imm i t ly g in him mu h 

sin h h s to Ir y know output — 1 to 1 to o this ow v r in 

som ir umst n s this oul turn out to us ul 

onsi r situ tion in whi h th tt k r knows 
n output -k 1 ut still n s to know output n this s h n solv or 
output ir tly 

output . — . — 2 — output + 1 

u r h st n r ’s N pp rs to uit s ur wh n us in 

th ppli tion or whi h it w s sign sign tur prmtrgnr tion 

ow V r it o sn’t p r orm w 11 s g n r 1-purpos ryptogr phi N 

us it h n 1 s its inputs poorly n us it r ov rs mor slowly rom 

st t ompromis th n it shoul 

o pt th N to mor g n r 1 us th ollowing m sur s woul 

limin t most o th tt ks w h v o s rv 

1 uir h shing o 11 N inputs or pplying th m 

2 p t y th ollowing ormul 

. . -f h sh(output + . ) mo ulo 2 



3 3 

h N in lu with 2 0 is uilt 

op r tions 5 h shing n ition mo ulo 2 
simpl sign o ny w h v n ly h 
ollowing 



Imost ntir ly roun two 
t is th most on ptu lly 
2 0 N onsists o th 



1 

2 

3 



128 it 
m tho 



m tho 
ollowing 



ount r 

or pro ssing inputs o pro ss input . w 
. . + 5( .) mo ulo 2 

or g n r ting outputs o g n r t output 

5( .) mo ulo 2 
. . + 1 mo ulo 2 



o th ollowing 



w o th 
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r t r t t tt k will tr t 5 s r n om un tion hil 
th r h V n int r sting rypt n lyti r suits on 5 in th 1 st s v r 1 y rs 
non o th m off r no vious w y to tt k th N 

r r u h r is str ight orw r tt k on ount r- 

mo g n r tor o this kin n tt k r hoos s som num r o su ssiv 

outputs th t h xp ts to s n th n omput s th h sh o v ry th 
possi 1 ount r V lu is gu r nt to s on o th s h sh s t r outputs; 
t th t point h knows th whol ount r v lu his tt k is impr ti 1 or 
128- it ount r ut it giv s n upp r oun on th str ngth o this g n r tor 
ith 2^ outputs n tt k r woul n to o 2 ® pr omput tion to mount 
th tt k; with 2 outputs h woul n to o 2 ° pr omput tion h s 

tt ks Iso r uir gr t lorn mory though tim /m mory tr -offs n 

r u th t 

h o to to n in r m nt th 128- it int rn 1 ount r 
h s th prop rty th t it will 1 k som in orm tion out th r suiting 128- it 

ount r y how m ny 8- it op r tions th omput r must x ut his 

op ns timing h nn 1 or n tt k r 

n tt k r 1 to o s rv th tim tkntognrt hnw output n 
1 rn how m ny ro yt s r in th ount r h tim it is in r m nt his 

is simply m tt r o t rmining how m ny yt wis itions h to on 
to in r m nt th ount r prop rly hr r two ts to this tt k irst 

ount r V lu s th t r 11- ro in th ir low-or r w yt s 1 k gr t 1 o 

in orm tion through th timing h nn 1; th s n onsi r kin o w k 
st t on wh n om in with th p rti 1 pr omput tion tt k is uss 
ov th timing in orm tion n us to know wh n to oth r h king th 

N output g inst pr omput t 1 his is sm 11 v nt g 



ut 

g inst 
th 

monitor pr is 
running 



tt k not th t s V r 1 input- s tt ks r possi 1 
’s N n p rti ul r hos n input tt ks xist g inst 
N h y om uit pow r ul wh n th tt k r n Iso 

timing in orm tion rom th m hin on whi h th N is 



r w u n tt k r n or th 

N into short n y 1 y hoosing th input v lu prop rly 
L t input. hos n input or th N su h th t 5 (input. ) h s 11 on s 

in its low-or r yts nttkrru sts long sun o outputs y 
r u sting th s inputs on p r output h or s th N to y 1 mu h 
st r us th low-or r yt s o th ount r r x hus or 8 
th y 1 1 ngth is short n to 2® outputs Not th t th tt k r o sn’t know 
wh t thos yt s r ut h know th t th y r th s m v ry tim th 

N us s th m to g n r t noth r output 

mor pow r ul w y to short nth yltks vntgoth irth y 
p r ox uppos r two hos n inputs su hth t 5( )-|- 5( )h s 
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11 on s in its low-or r yt s 


h n n tt 


k r n 


th p rio is u n 


s inputs to th 




N n 


0 s rv th 


outputs; with 


this pro ur h shoul s 


y 1 t r 


out 2 


outputs 


or X mpl 



or th s 16 it t k s out 2® offlin work to n suit 1 i n 

tt k r us s n ffi i nt ollision s r h Igorithm (s g O 95 0 96 ); this 

hoi o hos n inputs will or th g n r tor to r p t imm i t ly ® 

or g n r lly w n g t simpl tim tr v 1” tt k i no n w inputs 
w r mix in uring th 1 st outputs th n th tt k r n s n th 

N k in tim st ps y n ing two hos n inputs whos 5 ig sts 

sum to — ( g in with th s m tim ompl xity) 

u mu h mor pow r ul tt k is v il 1 

i th tt k r n monitor pr is op r tion timings n i 5 op r t s in 

onst nt tim h ount r in r m nt op r tion in th sour o will 

1 k how m ny ro yt s r in th r suiting ount r v lu y how m ny 8- it 

itions w r r uir n thus y how long th ount r in r m nt op r tion 
took uring th ount r in r m nt op r tion (unlik th op r tion us to 



om in in ntropy rom 


input) 


t ting 8- it 


itions : 


m ns th t th 


r suiting low-or r — 1 


yt s r 


ro 








h tt k 0 urs in two st g s 


in th r u 


st g 


whi h is 


on 


on th tt k r g n r t 


s th hos 


n ntropy v lu s h 


is to us 


1 t r n 


Iso 


gnrts t lohsh 


ount r V 


lu s n th XU 


st g 


whi h is 


on 



h tim h wish s to tt k som N st t h us s thos hos n 

ntropy v lu s to or th int rn 1 ount r to v lu th t h s its low-or r 

104 its s t to 11 ros h tt k r uir s 2 offlin tri 1 h sh s n 2000 

hos n- ntropy r u sts 

h pr omput tion st g works s ollows 

1 or 1 to 12 th tt k r n s inputg.. input .. su h th t 

5(inputg„ ) + 5 (input .. ) 

is 11 on s in its low-or r yt s n th t its n xt low st or r yt is v n 
his is xp t to t k out 2 ‘ ffort using ollision-s r h Igorithm 

h st g o X uting th tt k works s ollows 

1 h tt krwthsinrmnt timing v lu s until h knows th t th low- 

or r yt o th ount r is ro ( ns this us o th xtr 

ition op r tion whi h It rs th tim t k n or th input to pro ss ) 

2 or 1 to 12 h o s th ollowing 
( ) r u sts up t with input. his or s th ount r v lu to 11 

on s in its low yt s 

not th t s s gn fo only 64 ts of oil s on- s st n , n so p h ps 

m ght not xp t to p ov mo th n 64 ts of s u ty. ow v , th s 

pp s to n us fo g n t ng 1024- t mo ul n st 1 sh ng t pi - 

k ys, so t s pp ntly ng t ust fo mo th n 64 ts of s u ty. 
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( ) r u sts n output v lu n o s rv s th tim t k n or th output 
g n r tion in rring how m ny tim s th N x ut n 8- it 
op r tion in th in r m nt k ps r u sting th up t with input, 

n th output until h g ts + 2 8- it op r tions inst o +1 
( ) t this point h h s or th low +1- yt s to ros 

3 t th n o th ov loop th tt k r h s or th low-or r thirt n 

yt s o th ount r to ro v lu s now rri s out rut - or s r h 

o th r m ining thr yt s o n r ks th N 

t t o ro xt o tt k 

r M h N ’s input-pro ssing m h nism h s po- 

t nti lly ng rous fl w it is or r-in p n nt h t is up ting th N 

with n th n with is th s m s up ting it rst with n th n with 
his fl w w s origin lly is ov r y ul Ko h r Ko 95 196 ut it is 

still worth noting hr h ff t o this is to m k th N mor lik ly to 

st rt in n ins ur st t n Iso to m k th N r uir onsi r ly mor 

ntropy in its inputs or its st t is ungu ss 1 

r u h it r tiv gu ssing tt k works hr h t is i n t- 

t k r h s ompromis . h tim th us r up t s his st t with som 
guss 1 y n tt kr n thngnrts n output -h 1 whi h 

th tt k r ns ( v n i th t output is us s symm tri n ryption or 

uth nti tion kyors kyorp n rypt un r pu li -k y) h n 

m int in his knowl g o th N ’s st t th N m n g s 

to g t up t with n ungu ss 1 input tw n ompromis st t n 

visi 1 output how v r th n h los s his knowl g o th st t 

r h N is vuln r 1 to ktr king in 

orw r w y h it r tiv gu ssing tt k works x tly s w 11 

orw r n wh n n tt k r o sn’t h v n w ntropy s mpl s 

is X tly s sy s w Iking th g n r tor orw r 

3 u r 

h 2 0 N is vuln r 1 to hos n-input tt ks whi h n or 

it into short y 1 s hos n-input timing tt ks whi h n r v 1 its s r t st t 

n it r tiv gu ssing n ktr king tt ks whi h n flow n tt k r to 

xt n his knowl g o th s r t st t kw r n orw r through tim 
t Iso must us V ry r ully u to th t th t inputs ff t it in n 

or r-in p n nt w y 

o minimi th ng r o th s tt ks w m k th ollowing r omm n- 
tions 

1 u r g inst hos n-input tt ks in th sign o th syst m th t us s th 
N 



str ight- 
kw r s 
ktr king 
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2 r ul using th N in situ tions wh r timing in orm tion 

might 1 k 

3 PP n urr nt tim st mp n /or ount r to 11 inputs or s n ing 
th m into th N to limin t th or r-in p n n o N inputs 

3 r to ’ 

ryptoli is ryptogr phi li r ry v lop prim rily y k L y on 1 
it h 1 illi m hn 11 n tt 1 n initi lly s ri in L 93 
h prim ry sour o r n omn ss in ryptoli is ru n m h nism or 

pulling (hop ully) unpr it 1 v lu s out o th lo k sk w tw n iff r nt 

tim rs V il 1 to th syst m h s v lu s n us ir tly (though th 
o um nt tion w rns 11 rs not to r ly on mor th n 16 its o ntropy p r 

32- it wor ) or n us to s on o th v il 1 ps u or n om num r 

g n r tors sr n or s n 

sr n n s n r not N s y our nition ut r th r r str m 

iph rs h t is th y o not h v n m h nisms or pro ssing itio- 

n 1 inputs on th fly ” ut r th r r s on n th n run to g n r t 

ps u or n om num rs his is not unr son 1 giv n th ssumption th t 

ru n liv rs truly r n om its s n th syst m sign r n simply 

g n r t whol n w st t v ry w minut s n oth rwis n n’t worry 

out ntropy oil tion h n om in ru n n sr n or ru n 

n s n n n ly in th s m w y s th oth r N s in this 
p p r h t is w ssum th t th syst m initi li s th st t o ith r sr n 

or s n using ru n n us s on o th s m h nisms to g n r t 

wh t V r ps u or n om v lu s r n n th t th whol m h nism is 

p rio i lly r initi li rom ru n ru n is thus th sour o N 

inputs n sr n or s n is th sour o N outputs 

r t o o or t 

r sr n is s ri in L 93 ts s r t st t onsists o s r t 

ky n nrryosvn 32- it v lu s o-6 org ni s shi t- 

r gist r h tim n output is r uir two o th 32- itvlus r tkn n 

on t n t to orm 64- it v lu his v lu is n rypt with un r 

thsrtky hr suiting iph rt xt is split into two 32- it h Iv s; on hi 
is O k into on o th 32- it v lu s (in th s m w y shi t r gist r 

V lu might up t ) th oth r h 1 is output h r gist r is th n shi t so 

th t two n w V lu s will us to g n r t th n xt output mor ompl t 

s ription n oun in L 93 

s n PP rs in th ryptoli sour o (v rsion 12) ts s r t 
st t onsists o 64- it ount r s r t thr -k y tripl - k y 

s r t 20- yt pr X n s r t 20- yt suffix h n w 32- it output 

is g n r t s ollows 
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1 s th 1 h sh un tion to omput a ( ) 

2 s tripl - to omput . ( ) 

3 O tog th r th high-or r yt s o th h sh v lu with th r suit rom 
th n ryption; output th high-or r our yt s o this r suit 

4 t +1 

r t r t 

r h r is ir t rypt n lyti tt k on sr nr uiring 2 ffort 

h tt k us s th t th t on th tt k r knows n ny on N 
output h n uil t 1 o th 2^ possi 1 h Iv s o th iph rt xt 

th t w s us or k or h v lu h g ts whol 64- it iph rt xt 

whi h h n rypt into 64- it pi int xt yi 1 ing oth 32- it v lu s rom 
th rr y 

1 h tt k r gu ss s th k y 

2 h tt k r g ts th output wh n th shi t r gist r p irs us r ( • • ) 

( . ) n ( .) or som oth r n n th p ir ( ) will 

up t with th k 

3 or th rst two output v lu s th tt k r omput s 11 2^ possi 1 

k V lu s (th 32- it h 1 o th iph rt xt th t w s not output) 

his Hows him to omput . or h gu ss w xp t th r to 
only on p ir o k gu ss s th t 1 s to th s m . v lu 

4 h tt k r us s th k v lu rom th rst output (1 rn in th 

pr vious 

st p) to omput wh t th n w . v lu shoul th n mounts noth r 

2^ gu ss o th k V lu or th thir st p n us s this to riv th 

urr nt . n oth r r gist r v lu h h s th wrong v lu h xp ts 

not ton ny m t hing v lu or . ; i h h s th right v lu h xp ts 

to n on V lu th t gr s 

his monstr t s rti tion 1 w kn ss in sr n t most; th ompu- 

t tion 1 r uir m nts r v ry pro ly outsi th r ho ny tt k r right 

now 

r not w r o ny ir t rypt n lyti tt ks v il 1 on s- 

n h s n sign pp rs to us to v ry ons rv tiv n unlik ly to 

tt k in th utur Not th t nothing lik th timing tt k on ’s 

N is V il 1 h r spit th us o ount r 

t oul gu th t s n h s only 6 ts of st ngth, th s onst u t on 

w s nt n fo no mo st ngth th n th t. fin th s gum nt un onv n ng. 

fs n w s 1 ly n tt mpt to g t mo th n 6 ts of st ngth f om ; 

oth w s , n - o ount -mo woul h v 



n us 




ypt n lyt tt ks on s u o n om um n to s 13 

ut tt k h s syst ms pt input only on n pt it 

ir tly rom ru n or uff r provi y th Hr his (r )initi li s th 

N n th ont xt o th ollowing is ussion known-input tt km ns 

th t th tt k r h s 1 rn how to pr it som ru n v In s 1 rly i 

th tt k r n know 11 th ru n v lu s th r is no rypt n lysis to 
p r orm n int r sting r suit o urs i th N om s w k with only 
sm 11 num r o pr it 1 ru n v lu s 

r n tt k r who knows ny two v lu s us s pi int xt lo k 

or n mount k ys r h tt k n r u th possi 1 num r o k ys 

to out 2 must th n w it until th rst o thos v lu s m k s it into 

th input g in n rry out n ition 12^s rhpr ni tky; 

this will t rmin th k y uni u ly his r uir s tot 1 o out 2 tri 1 

n ryptions n out 2 lo ks o m mory rom this point th tt k r n 

ui kly r ov r th r m ining st t o th N n tt k r who n gu ss 
ny two su h v lu s with 2‘ work n mount th s m tt k with 2 ' tri 1 

n rypt ion n 2 lo ks o m mory 

n tt k r who knows th k y n r ov r th r m ining N st t 
with 2^^ ffort using th s m m tho s ri or ir t rypt n lysis o 
th N ov 

mor su tl on rn might involv fl ws in th u lity os v lu s rom 
ru n onsi r n tt k r who knows or giv n syst m th t only 2 

32- it outputs rom ru n r possi 1 sr n is r s ir tly rom 

ru n this 1 s to irly simpl tt k sr n ’s k y must om 

rom ru n n th tt k r n ui kly list 11 possi 1 56- it v lu s th t 

oul hv ngnrt g tting out 2 ® o th m n th n rry out 

th tt k s ri ov n g n r 1 i th r r 2‘ possi 1 v lu s or th 

sr n ’s k y to g t th n th tt k will t k 2‘ tri 1 ryptions his 
is n improv m nt or 56 n tur lly 

Not th t this monstr t s th t sr n o sn’t pro t rom th ull ntropy 

it r iv s uring r s ing; n th x mpl ov sr n woul g t 8 its o 

ntropy p r 32- it wor us to r s it or tot 1 o 112 its o ntropy 

r w r o no r son 1 known-input tt ks on s n n 

tt k r with knowl go n ut not pp rs to h v no h n 

to t th N ; simil rly n tt k r with knowl go n ut 

not or pp rs to h V no h n to t th N 

tt oro xt o ttk h snnsrngn- 

r tors on’t pro ss inputs n so nnvrr ovr rom st t ompromis 

ow V r i ru n is us to g n r t whol n w st t v ry w minut s 

th s op o st t ompromis is m v ry sm 11 t is worth noting th t 

oth s n n sr n How n tt k r in poss ssion o th ir urr nt st t 

to go kw r s w 11 s orw r 1 rning Hvlus vrgnrt ythm 
h t is i th N st t v r is ompromis th tt k r n 1 rn v ry 
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output vrgnrt ythtstt th syst m is sign to r initi li its 

N with ru n v lu s on v ry hour th n this m ns ompromis 

o 11 N outputs or th t hour th syst m r initi li s th N mor 
r u ntly th n th tt k r 1 rns w r outputs; i 1 ss r u ntly th n th 
tt k r 1 rns mor outputs 

u r ssuming ru n is goo sour o unpr it 1 v lu s th 
N s uilt y putting it tog th r with ith r sr n or s n pp r to 

o r son 1 str ngth ut s n pp rs to mor r sist nt to v rious 

tt ks th n sr n Not how v r th t n rly 11 o th s tt ks r uir 

k ys r hing or oing som simil rly omput tion lly xp nsiv t sk 

m k th ollowing r omm n tions 

1 yst m sign rs shoul v ri y oth y st tisti 1 n lysis n y n n ly- 
sis o th ir t rg t syst ms’ signs wh th r ru n will r li ly provi 
unpr i t 1 num rs on th ir syst ms ( his hoi s tru or v ry sour 

o unpr i t 1 inputs or v ry N ) 

2 n nvironm nts wh r ru n ’s outputs m y susp t (p rh ps u 

to m li ious tions y th tt k r) w r omm n th t s n r th r 

th n sr n mploy 



n this p p r w h v rgu or tr ting N s s th ir own kin o ryptogr - 
phi primitiv istin t rom str m iph rs h sh un tions n lo k iph rs 

h V is uss th r uir m nts or N v lop str t tt ks 
g inst n i li N n th n monstr t thos tt ks g inst our 

r 1-worl N s 

u or u r 

n th rli r s tions w is uss possi 1 ount rm sur s or m ny o th 
tt ks w h V lop r w propos list o w ys to prot t N 



g 


inst h 0 th 1 


SS S 0 


tt ks w 




is uss 






1 


u 


t o 


to rot 


t 


vu r 




out ut 




N is SUSP t 


to 


vuln r 


1 


to ir t 


rypt 


n lyti tt k th n 




outputs rom th 


N 


shoul 


pr 


pro ss 


with 


ryptogr phi h sh 



un tion Not th t not 11 possi 1 fl w Ns will s ur v n 
t r h shing th ir outputs so this o sn’t gu r nt s urity ut it m k s 
s urity mu h mor lik ly 

2 ut t ou t r or t t or u o 

pr V nt most hos n-input tt ks th inputs shoul h sh with ti- 
m st mp or ount r or ing s nt into th N this is too xp nsiv 

to on V ry tim n input is pro ss th syst m sign r m y w nt 

to only h sh inputs th t oul on iv ly un r n tt k r’s ontrol 




ypt n lyt tt ks on s u o n om um 



n to s 



1 



3 n r li N with p rio i r s ing 




3 0 o r t t rt t t or N s lik 

N 9 17 whi h 1 V 1 rg p rt o th ir st t un h ng 1 on ini- 
ti li whol n w N st t shoul o sion lly g n r t rom th 
urr nt N his will nsur th t ny N n ully r s its 1 giv n 
nough tim n input ntropy 

4 tt t o to t rt o t h 

st w y to r sist 11 th st t - ompromis xt nsion tt ks is simply n v r 
to h V th N ’s st t ompromis hil it’s not possi 1 to gu r nt 

this syst m sign rs shoul sp n lot o ffort on st rting th ir N 

rom n ungu ss 1 point h n ling Ns Is int llig ntly t ( 
ut98 or s V r 1 w ys th t this n on ) 

2 u or 

ving s ri s t o possi 1 tt ks on Ns it is r son 1 to try 

to is uss w ys to v lop n w N s th t will r sist th m propos th 
ollowing gui lin s or v loping n w Ns 

1 t o o t tro h N shoul sign 

so th t su ss ul ir t rypt n lyti tt k impli s su ss ul tt k 
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on som ryptogr phi primitiv th t’s li v to strong lly this 
woul prov n 
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rom th 


ntropy 




pool h g n r 


tion st t 
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only wh 


n nough 
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5 to ut tt k h inputs to th N shoul om i- 

n into th N st t in su h w y th t giv n n ungu ss Is u n 

o inputs n tt k r who st rts knowing th N st t ut not th 

input sun n nttkr who st rts knowing th input s u n 
ut not th st t r oth un 1 to gu ss th n ing st t his provi s 

som prot tion g inst oth hos n-input n st t ompromis xt nsion 

tt ks 

6 ov r ro o ro u k h N shoul t k v nt g 

o V ry it o ntropy in th inputs it r iv s n tt k r w nting to 1 rn 

th ff t on th N st t o sun o inputs shoul h v to gu ss 

th ntir input s u n 
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1 t rly in this p p r w m th ss rtion 

th t N s r istin t kin o ryptogr phi primitiv xisting N s 

r Imost 11 uilt out o xisting ryptogr phi primitiv s his r is s th 
u stion o wh th r it m k s s ns to uil it N Igorithms 

ypi lly th motiv tion or uil ing i t Igorithm is to improv 
p r orm n r th r ppli tions wh r th N ’s p r orm n is 

s rious nough issu to m rit n w Igorithm? 

2 ur t roo in most urr ntly- 1 N s r s on xisting 

ryptogr phi primitiv s it woul ni to s som s urity proo s 

monstr ting th t mounting som 1 ss o tt k on th N is uiv 1 nt 

to r king n un rlying lo k iph r str m iph r or h sh un tion 

3 t rt o t On lik ly w y or n tt k r to ompromis th N 
st t is or th N to st rt in gu ss 1 st t his r is s th issu 
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V ry iff r nt th n ny o th syst ms whvrviw hr thy typi lly 
m int in onsi r ly 1 rg r st t (or pool”) in hop s o umul ting 

1 rg mounts o ntropy 

6 V o h V is uss fl ws in xisting N s 

r int r st in s ing n w signs propos th t r sist our tt ks 
N o our own is urr ntly un r v lopm nt; t ils will post to 
sth y om v il 1 



h uthors woul lik to th nk r g u rin t r utm nn n m 
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improving th p p r’s pr s nt tion 
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ues te n n e ge u en y ‘ 



ol Norm 1 Sup ri ur NS 



Thi p p r pr nt n w lo k iph r whi h o r oo 

n ryption r t on ny pi t orm. t i p rti ul rly optimiz or h r - 

w r impl m nt tion wh r th xp t rti v r 1 p on m 11 

i t hip workin t 30 z. t in om in up to t t t 

o th rt on pt in or r to m k it (hop ully) ur i u ion n t- 
work on th t ouri r Tr n orm multip rmut tion hi hly 

nonlin r on u ion ox . 



e ent explosion o the tele ommuni tion m ketpl e motiv tes the e- 
se h on en yption s hemes. T ing se u ity issues pushe the gove nment 

to st t the evelopment o the p in the 70 s 1 11 

tele ommuni tion evi es now nee to e se u e y en yption. ny tt ks 

h ve een p opose g inst in lu ing ih m n h mi s i e enti 1 yp- 

t n lysis 5 6 n tsui s line ypt n lysis 15 16 . till the est p ti 1 
tt k seems to e exh ustive se h whi h h s e ome e 1 th e t s shown 
y the e ent su ess o the h llenge 31 . n this p pe we p opose new 

symmet i en yption s heme whi h h s een esigne in o e to e efh ient on 
ny pi t o m in lu e he p 8- it mi op o esso s ( sm t s) mo e n 
32- it mi op o esso s ( entium) n e i te hips. 



• 1 1 is the on ten tion o two st ings 

• is the itwise ex lusive o two itst ings (with e u 1 lengths) 

• • . ot tes itst ing y one position to the le t 

• is the itwise o two itst ings (with e u 1 lengths) 

• itst ings e w itten in hex e im 1 y p king ou its into one igit ( o 

inst n e * * 6 enotes the itst ing ) 

• the num e ing o its in itst ings is om ight to le t st ting with 0 ( 

• 0 enotes the 1 st it in • ) 

• itst ing n intege s e onve te in su h w y th t *. _ ||***||*o o es- 

pon s to n intege *. _ *2‘ “ ••• *o 



rt o thi work h n upport yth n my 

u t to p t nt m tt r. 

u t tw t 7 0 
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(s o the en h “ j(f P ) 

is symmet i lo k iphe whi h n e use in ny mo e to en ypt lo k 

st e m ( the iphe lo k h ining mo e see 2). si lly the 

en yption un tion m ps 6 - it pi intext lo k * onto 6 - it iphe text 
lo k • y using se et key * whi h is itst ing with it y length up to 

128. The e yption un tion m ps the iphe text onto the pi intext 

y using the s me se et key. e ssume th t * is ep esente y itst ing 

6 0 



n we simil ly w ite 



* 6 



0 * 



e Iso ssume th t the st ing • is p e with t iling ze o its to get length 
o 128 its 



7 *** 



( key * is the e o e e uiv lent to nothe key * whi h onsists in p ing • 
with ew ze o its.) 

key s he uling s heme fi st p o ess the se et key • in o e to o t in nine 

6 - it su keys * ° ite tively in this o e . the se et key h s to e use 

seve 1 times we e ommen to p e ompute this se uen e whi h m y not ly 
in e se the en yption te. 

The en yption Igo ithm p o esses ite tively e h su key in the ight o e 

• ° whe e s the e yption Igo ithm p o esses them in the eve se o e 

°. e thus e ommen to keep sto geo 11 su keys o e yption 

o to pt the key s he uling s heme so th t it n gene te the su keys in the 
eve se o e . 



Let * e the p e 128- it se et key. e fi st split the itst ing into two 6 - it 
st ings enote *“ n •“ suhtht 



Those st ings initi lize se uen e whe e*° e the nine 6 - 

it su keys to ompute. The se uen e omes om eistel s heme s 



o * 0 8 whe e * .• is efine elow (see eistel 9 ). igu e 1 illust tes 

the key s he uling s heme togethe with the en yption itsel . 
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The * .• un tion m ps 6 - it st ing onto 6 - it st ing y using 6 - it 

oust nt *'. n the efinition o ° e efine s the fi st 

ytes o the t le o pe mut tion * whi h will e efine elow 

.0 

6 

6 

6 

6 

6 

6 



6 

6 * 



• is efine y 

*.•(*) •(• (• *•))* 

* is efine y yte-pe mut tion * whi h m ps n 8- it st ing onto n 8- it 

st ing o ing to t le n * is it t nsposition. ( o w e implement tion 

will use lookup t le o * whe e s h we implement tion m y use the inne 
st u tu e o * whi h will e et ile elow.) 

iven the 6 - it st ing • • •' we split it into eight 8- it st ings enote 

*6 •• 6 7-0 su h th t • *6 •• ell ***||* 7 " 0 - e next pply the pe mut tion 

* yte-wise we ompute 

* (*6 •• 6||***||*7»o) * (*6 •• 6)11 ***||* (*7”0)* 



The pe mut tion • is the 8 8 it-m t ix t nsposition. o e p e isely 

given the 6 - it st ing • • (• *‘) we fi st split it into eight 8- it st ings 

*6 .. 6 7-0 so* ove n w ite it in 8 8 it-m t ix shion in su h 

w y th t the fi st ow is * e •• e n so on. The pe mut tion * simply t nsposes 

the m t ix so th t the fi st eight its o • (• ) e the fi st its o *6 •• e 7-0 

in this o e the se on eight its e the se on s its n so on. Thus we h ve 



*6 



1*711*6 



1 * 0 * 



igu e 2 illust tes how • .• wo ks in the key s he uling s heme. 



• •• 



• ••••••••• ••••• • 



The en yption p o ess is pe o me th ough eight oun s y using oun - 
en yption un tion * whi h is pe mut tion on the set o 11 6 - it st ings. 

* enotes the 6 - it pi intext lo k n • ° is the se uen e o the 6 - it 

su keys the iphe text lo k is 

• • 1 •••• ^ * )) * * *) 
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*6 



6 



• 7 " 



0 



* 7"0 



The * . • un tion in the key s he uling s heme 



s epi te on igu e 1. 

The oun -en yption un tion * is se on the st on ie T ns o m 
g ph n 16- it to 16- it un tion • s epi te on igu e 3. t 

Iso uses two 6 - it oust nts • n • efine y the in y exp nsion o the 
m them ti 1 onst nt 




2 - 



Thus we efine 



6 



o e p e isely in e h en yption oun we ite te the ollowing s heme 
th ee times 

• we xo with onst nt (whi h is su essively the su key * ‘ * n • ) 

* we split the 6 - it st ing into ou 16- it st ings n we pply * to e ho 
it o t ining ou 16- it st ings whi h om ine into 6 - it st ing 
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ne en yption oun 



* we split it g in into eight 8- it st ings 

*6 ••ell* •• II* 7- oil* •• II* •• II* -ell* •• 11*7-0 

n we h nge thei o e s 

*6 •• ell* 7- oil* •• II* -II* - II* - II* -e||*7-o* 

The * un tion t kes 16- it st ing • whi h is split into two 8- it st ings 
•.||*. n omputes • (• ) *•!!*• y 

*• *(*(*•) *•) 

*• *(*•(*•) *•) 

whe e * is efine y 

*(*•) (*•(*•) ** e) *• 



* (*7||***||*o) *7||(*e * )||* IK* * )||* IK* * )ll* IK*o * 7 )* 
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omput tion g ph o * n * 

The * omput tion is epi te on igu e (with the xo to its input whi h is 
Iw ys pe o me ). 

The * yte-pe mut tion (whi h is Iso use in the key s he uling s heme) is 
efine y th ee- oun eistel iphe ep esente on igu e 5 the 8- it input 
* is split into two - it st ings * .||* . we ompute su essively 

• *• *(*•) 

*• *• •(•) 

*• * *(*•) 

whe e * n * e two spe i 1 un tions. 

The un tion • is efine y the t le 




whi h omes om 

•(•) - *•(•)* 

The un tion • is efine y the t le 

• •••••••••••••••• 

•(•)| 

whi h oes not ome om simple exp ession. 

in lly the v lue o * (* * ) is given s ollows y the t le o * . 
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ne e yption oun 



et ils o the e yption e le t to the e e . e simply o se ve th t 
(•.||*.) • “ (*.11*.) n e ompute y 

*• *(•(*•) *(*•)) 

*• *•(*•) *(*•) 



whe e 

* (*) (*•(*) ** e) •* 



s n ex mple we en ypt the pi intext 6 with the se et 

key 6- Thesu keys se uen e is 
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6 

7 



6 

6 

6 

6 

6 

6 



o inst n e the fi st gene te su key q is 

•- •(• (•- 6 )) 

*■ * ( e) 



6 * 



The mess ges whi h ente into e h oun e 



6 

7 



6 

6 

6 

6 

6 

6 

6 

6 



ee 1 ye s into 



xo 



6 n * 

it with • ° 



n the iphe text is ‘ 
is t ns o me though th 

the lyes e 

the fi st 1 ye wet ke 

• ••••••••••••••• 

s n implement tion test we mention th t i we ite te one million times 
the en yption on the 11-ze o itst ing with the p evious key we o t in the fin 1 
iphe text 6- 



. n the fi st oun the mess ge * ° 
. The inte me i te esults etween 

6- o inst n e in 

pply * pe mute the ytes n get 



The st ou ie T ns o m use in the oun -en yption un tion * h s een 

use in seve 1 yptog phi esigns in lu ing hno s T- shing 22 T 

sh 23 hno n u en y s llel T- shing 2 n ssey s 
13 1 . This g ph h s een p ove to h ve ve y goo i usion p ope - 
ties when one twi e (see 25 26 30 ). 

The * st u tu e implements p s efine y hno n 

u en y (see 25 29 30 ). n this se it me ns th t * is pe mut tion ove 

the set o 11 16- it st ings n th t fixing ny o the two 8- it inputs it ily 
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m kes oth 8- it outputs e pe mut tions o the othe one. This is ue to ve y 
p ti ul p ope ty o * n mely th t oth • n *—>■*(*) *•(*) (whi h is 

in t * ) e pe mut tions. tu lly * n * e line involutions. 

Those p ope ties m ke * e wh t we 11 su h th t 

i we it ily fix seven o the eight inputs 11 outputs e pe mut tion o the 
em ining ee input. This pe o ms goo i usion. 

The est gene 1 tt k metho son lo k iphe s h ve een int o u e y il- 

e t h sse T y- o i ih m h mi n tsui (see 11 28 5 6 15 16 10 ). 

They e now known s i e enti 1 n line ypt n lysis, e know stu y how 
hs een p ote te g inst it. 

The pe mut tion * h s een hosen to e n nonline involution in the 

sense th t oth i e enti 1 n line ypt n lysis e h . Nonline ity h s 

one me su e o espon ing to i e enti 1 ypt n lysis (whi h h s een efine 
y Ny e g 19 ) n one me su e o espon ing to line ypt n lysis (whi h 

h s een efine y h u n ueny7). eewe use the o m lism 

int o u e y tsui 17 

x(* ) m X • (• *)*(*)* 

• 0** • u 

• • 

L x(* )mx2 

• •• 0 • u 

The un tions • n • e su h th t x(* ) 2“ n L x(* ) 2 ~ . 

the Theo em o oki n ht 3 (whi h gene lizes the Theo em o Ny e g n 

Knu sen 20 ) we e ppli le in this setting we woul then o t in x(* ) 

2“ nL x(') 2 ~ . oth p ope ties e howeve still s tisfie s the 

expe iment shows. om 19 7 it is known th t o ny un tion * on the set 
o 11 * - it st ings we h ve x(* ) 2 n L x(* ) 2 ut it 

is on e tu e th t 2 is ette oun o even • (see o e tin 8 o 
inst n e). o ou un tions e e son ly nonline . in e it is well known th t 
the heu isti omplexity o i e enti 1 o line ypt n lysis is g e te th n the 
inve se o the p o u t o the x o L x o 11 tive * oxes (see o 
inst n e eys n Tv es 12 ) h ving mixing un tions m kes t le st five * 

ox pe oun to e tive so no ou oun so h ve ny efh ient 

i e enti 1 o line h te isti . 



n ny kin o implement tion the key s he uling s heme is ssume to e 

p e ompute . This p to hs not e esigne to h ve spe i 1 

implement tion optimiz tion. The utho s elieve th t eve y time one h nges 
the se et key one h s to pe o m expensive omput tions (su h s symmet i 
yptog phy key ex h nge p oto ol o key t ns e p oto ols) so optimizing the 
p e omput tion o the su key se uen e is me ningless. n the ollowing e tions 
we only is uss implement tion o the en yption (o e yption) s heme. 




200 



u St rn S r 



u n y 



is highly optimize o L implement tions. t m y e noti e 

th t the * un tion h s een esigne to get ien ly oole n i uit imple- 
ment tion. tu lly igu e 7 illust tes he p n n - i uit with epth n 
only 16 n n g tes. 

e p opose two possi le e sy implement tions. n the fi st one we e lly 
implement one thi o single oun en yption. t h s two 6 - it input e- 
giste s n one 6 - it output egiste . t is e sy to see th t n en yption n 
e pe o me y ite ting this i uit 2 times n lo ing the su key se uen e 

t ight o w estim tes shows this i uit e ui es 1216 

n n -g tes with epth 26. This implement tion n e e in ny mi op o- 
esso within less th n 1mm in o e to get simple mi o o e en yption 
inst u tion. ne 30 z- lo k y le is enough to ompute one 1 ye thus 

one 6 - it en yption e ui es 2 lo k y les whi h le s to 73 ps whi h 
is uite st o su h he p te hnology. 

The se on implement tion onsists in m king e i te hip whi h on- 

sists o 2 times the p evious i uit in pipeline hite tu e. e estim te we 

nee 15mm in o e to implement 30000 n n -g te i uit whi h pe o ms 
6 - it en yption within one 30 z- lo k y le whi h le s to n en yption 
te o 2 ps. This n e use to en ypt T netwo k ommuni tions o 
us. 



1 y r4 *0 • • • 

1 y r3 • *6* • 

1 y r2 • 6 • • • 

1 y rl • • • • 

1 y rO 




• 0 
• 7 




6 



• 6 * * 



nput • 6* * * 

utput * 0 * * * 

' * * mplement tion o * 



Those esults n e omp e to T whi h h s een implemente y 

itsu ishi. n tsui 18 this hip is spe ifie to e ui e 65000 g tes wo king 

t 1 z n en ypting t 50 ps. 



st ight o w non-optimize implement tion o in st n 

on entium 133 z (see ppen ix) gives n en yption te o 2*1 ps whi h 

is e son ly st omp e to simil implement tions o 
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nothe (non-optimize ) implement tion in ssem ly o e en les the en- 
tium to pe o m 6 - it en yption within 973 lo k y les whi h le s to 
8.3 ps wo king t 133 z. 

n ev lu tion simil to the L -implement tion estim tes shows th t the 
num e o “usu 1 oole n g te (xo n o not) e ui e to implement 6 p - 
llel 6 - it en yptions using ih m s it-sli e t i k on 6 - it mi op o esso 
is 11968 whi h is su st nti lly less th n ih m s implement tion o whi h 
e ui es out 16000 inst u tions (see ). The e o e i we use 300 z Iph 
mi op o esso whi h e ui es *5 y les pe inst u tions ( s in ) we o t in n 

en yption te o out 196 ps. 



n implement tion h s een one o he p sm t pi t o m. omp t 
6805 ssem ly o e o oughly 500 ytes n en ypt 6 - it st ing in its u e 
y using only 6 ext yte- egiste s within 12633 lo k y les. This me ns 
th t he p sm t wo king t z n en ypt within 3*16ms ( t 
19*8K ps te) whi h is ette th n optimize implement tions o 1 . This 
implement tion o n still e optimize . 



pi t orm lo k r u n y n ryption r t not 
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mplement tions o 



hs een shown to o e uite st en yption tes on seve 1 kin s 

o pi t o ms whi h is suit le o tele ommuni tion ppli tions. igu e 8 sum- 
me izes the implement tion esults. ts se u ity is se on heu isti guments. 

11 tt ks e wel ome... 

d 

e wish to th nk the 
po te this wo k. 
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d 

e e is s mple implement tion o the he to The p o e u e 

t kes pi intext lo k • n p e ompute su key se uen e • ( s 9 8 ytes 

y). This p og m is highly optimiz le. 

typ un n r u nt 

n _ 00 Ox 

n _ 0 Ox 

n _ 02 Ox 

n _ 03 0x62 

n _ 0 Ox 

n _ 0 Ox 

n _ 06 0x2 

n _ 0 0x6 
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h lok phr ws sgn nl99y on vs 

or uryn.nhspprw sr ohh phrn 

pr 1 m n ry mp so us oh rn Inlnr ryp n lys s. 

C 

2 is lo k iph r th t w s sign in 1989 y on iv st or t 

urity n . niti lly h 1 s onfi nti 1 n propri t ry Igorithm 2 

w s pu lish s n nt rn t r t uring 1997 12 . 2 h s m ny int r st- 
ing n uniqu sign tur s p rti ul rly so wh n on onsi rs th styl o 

iph rs th t omin t oth th lit r tur n th m rk t t th tim o its 

inv ntion. h iph r w s int n to p rti ul rly ffi i nt on 16- it pro s- 

sors n with 6 - it lo k siz it w s int n s rop-in r pi m nt or 
11 . signifi nt tur o 2 is th fl xi ility off r to th us r in 

t rms o th ff tiv k y-siz . his h s now om ommon tur o m ny 

lo k iph r propos Is n it is prop rty th t h s prov n to import nt in 

omm r i 1 ppli tions. vrthyrs 2hs n ploy wi ly n it 

tur s promin ntly in th / s ur m ss ging st n r 5 . urr ntly 

th r r no pu lish r suits on th rypt n lyti str ngth o 2. s first 
st p this p p r s ts out som t ils on how th si tt ks o iff r nti 1 1 

n lin r 8 rypt n lysis might pply. 



hr r two istin t p rts to using 2. irst i pro ur 

t k s us r-suppli k y o tw n on n 128 yt s in 1 ngth tog th r with 

srgsr rmrko uryn. 

u y .) s w r ry 372 . 206 22 

O r r r r r 




n h 



s gn n 



ur y o 



0 



p r m t r th t sp ifi s th fF tiv k y-1 ngth o n ryption. rom this in or- 

m tion n rr y — o 6 16- it roun k ys is riv . h n 6 - it pi int xt 

lo k is n rypt using rr y — . n ryption onsists o two styl s o roun s. 

n is t rm MIXING roun n th oth r MASHING roun . 

oth th k y xp nsion n n ryption ompon nts r ly on th us o 
su stitution t 1 11 PITABLE. his t 1 sp ifi s r n om p rmut tion on 

th int g rs 0 ... 255 n w s riv rom th xp nsion o 3.1 159 . . .. 

h t 1 its 1 will not on rn us ir tly in this p p r ut it is in lu or 
ompl t n ss in th pp n ix. will now s ri th tion o 2 in mor 
t il. will us to not th 16- it wor rot t 1 t y its 

will not itwis logi IN— will not itwis x lusiv -or n “ 

will not itwis ompl m nt tion. 11 16- it wor ition is p r orm 
mo ulo 2 ®. 



uring th k y xp nsion pro ur oth yt op r tions n 16- it wor op- 

r tions r us . h rr y — th t stor s th 6 16- it roun k ys will 

r rr to in two w ys. 

) or wor op r tions th positions o th uff r will r rr to s 0 

63 wh r h is 16- it wor . 

) or yt op r tions th rr y o roun k ys will r rr to s 0 . . . 

127 wh r h is n ight- it yt . t will Iw ys th s th t 
2 256 — 2 1 ( h t is th low r or r yt is giv n first). 

uppos th t yt s o k y r suppli y th us r with 1 — — 128. 

h k y xp nsion pro ur pi s th - yt k y into 0 ... — 1 o th 

k y uff r. g r 1 ss o th V lu o how v r th Igorithm h s m ximum 

ff tiv k y 1 ngth in its th t is not 1. h ff tiv k y 1 ngth in yt s 
8 n m sk s on th ff tiv k y 1 ngth in its 1 r riv s 

8 — 1 8] n 255 mo 2 • K y xp nsion onsists o th 

ollowing two loops n int rm i t st p 

1. for 1 ... 127 do 

PITABLE — 1 — ( ition is mo ulo 256) 

2. 128- 8 PITABLE 128- 8 

3. for 127 — 8 ... 0 do 

PITABLE 1 - 8 

t th no this k y xp nsion th rr y 0 . . . 63 ont ins th 6 

16- it su k y wor s th t will us uring n ryption. 



h n ryption op r tion is fin in t rms o primitiv MIX n MASH op r - 
tions. n rr y o our 16- it wor s 0 . . . 3 r us to hoi th initi 1 

pi int xt th int rm i t r suits n th fin 1 iph rt xt. n i s to this rr y 
r Iw ys giv n mo ulo . 




0 L. . Knu s n . jm n .L. vs . . . o sh w 
MIX 

h primitiv MIX op r tion is fin s ollows wh r 0 1 

1 22 3n 3 5. ris glo 1 v ri 1 so th t is 

Iw ys th first k y wor in th xp n k y whi h h s not y t n us 

in MIX op r tion. 

( -1 -2) (- -1 -3); 

1 ; 



MIXING roun 

MIXING roun onsists o MIX 0 MIX 1 MIX 2 MIX 3 . 

MASH 

h primitiv MASH op r tion is fin s ollows 

- 1 OOSfx ; 

MASHING roun 

MASHING roun onsists o MASH 0 MASH 1 MASH 2 MASH 3 . 

h ntir n ryption op r tion n now s ri s ollows. r is 
glo 1 int g r V ri 1 whi h is only ff t y th mixing op r tions. 



n 


ryption ith 2 










1 . 


niti liz wor s 0 ... 3 

lo k. 


to 


ont in th 


6 - 


it pi int xt 


2. 


xp n th k y so th t wor 
fin . 


s 


0 ... 


63 


om 


3. 


niti liz to z ro. 












r orm fiv MIXING roun s. 










5. 


r orm on MASHING roun . 










6. 


r orm six MIXING roun s. 










7. 


r orm on MASHING roun . 










8. 


r orm fiv MIXING roun s. 










9. 


h iph rt xt is 0 ... 


3 . 









ryption is th r v rs o n ryption. in th t ils n sily s- 
t lish th y r not in lu hr. st v tors or n ryption using 2 r 
provi in th pp n ix. 



2 is r th r unusu 1 in th t th 6 - it pi int xt lo k is split into our wor s 
h o 16 its. n styl r minis nt o th h sh un tion 13 mu h o 

th n ryption pro ss r li s on on o th s wor s ing mo ifi y un tion 

o th oth r thr th our wor s th n ing sw pp y li lly. his sign 
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ppro h w s xplor som s v n y rs t r th sign o 2 whi h now 
might s ri s ing n un 1 n ist 1 iph r 

h k y s h ul or 2 is Iso unusu 1. 8 is th num r o yt s n 

to ont in th giv n 1 its o k y. h n 1 is ongru nt to mo ulo 8 m sk 

ont ining on s in th low-or r its is us to riv th orr t ff tiv 

k y 1 ngth. h first st p o th k y xp nsion xp n s th k y to nil 128 
yt s using non-lin r yt -wi k shi t-r gist r ppro h. t p thr 

is simil r to th first x pt th t it st rts t th high n n works tow r s 
th low r n . t ps two n thr Iso work tog th r to limit th ff tiv k y 
siz to 1 its. t p thr orr spon s to using k r gist r o only 8 

yt s n st p two nsur s th t th initi 1 st t o th t r gist r h s only 1 

its o ntropy. Ithough th pro ur limits th tu lly ntropy o th k y 
to 1 its it Iso nsur sthtthfinlkyt 1 pns upon h it o 
th suppli k y. on suppli s 16- yt k y ut s t 1 0 th n h nging 

ny it o th suppli k y shoul r suit in iff r nt k y t 1 Ithough th 
num r o possi 1 k y t 1 s is limit to 2 



iff r nti 1 rypt n lysis 1 n pow r ul styl o tt k. y housing 
p ir o pi int xts with p rti ul r iff r n whi h n pt to th 

iph r in qu stion th rypt n lyst hop s th t som i ntifi 1 n unusu 1 

h vior n o s rv y pro ssing th iph rt xts. n possi 1 volution 

o th iff r n tw n p ir o pi int xts uring n ryption n s ri 
y zz.nssn hrt risti sp ifi s th iff r n tw n 

two p r 11 1 n ryptions t h st g o th n ryption pro ss n th r is 
som sso i t pro ility th t p ir ing n rypt o s in ollow this 
s ription. pi int xt p ir th t ollows th hrt risti is typi lly 11 

i i . p ir th t o s not is 11 i . 

hroughout our tt k on 2 w sh 11 fin th iff r n tw n two 
16- it wor s n to — . urth rmor in our n lysis w sh 11 in- 

t r st in how singl - it iff r n s h v within 2. h ision to r stri t 

our tt ntion to singl - it iff r n s ilit t s n lysis ut is Iso motiv t 
y typi 1 ssumption th t hr t risti s involving multipl - it iff r n s 
ov r int g r ition will g n r lly hoi with low r pro ility th n singl - it 
hrt risti s 6 . not th t oth r mor ompl x t hniqu s 2 7 might op n 
n w V nu s or th n lysis o 2. 

will us t to not th 16- it wor with singl on it in position 
rom th right 11 oth r its ing s t to z ro. Iso vi w th 1 tmost it o 
16- it wor to th most signifi nt it. hus w sh 11 us to not 16- 
it wor with th only non-z ro it ing th most signifi nt it. will not 

th wor o 16 z ro its s OOOOx wh r th su s ript x not s h x im 1 

not tion n w will not th i i (i. . th num r o on s in th 

in ry xp nsion o som qu ntity ) s wt( ). 
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or th r m in r o th p p r w sh 11 onsi r MIXING n MASHING roun s 
in th ollowing w y. nst o vi wing th op r tion t h st p s ting on 

iff r nt wor w sh 11 onsi r th op r tions to i nti 1 (i. . t h MIX 

st p 0 0 ( 3 2 ) (“ 3 1 )) ut th t tw n st ps 

th wor s r rot t y li lly (i. . TEMP 0 ; 0 1 ; 1 2 ; 

2 3 ; 3 TEMP). 

S MIX 

iv n n input iff r n ( t OOOOx OOOOx OOOOx) to th first MIX st p in 
MIXING roun th output iff r n or rot tion will ( * OOOOx OOOOx 
OOOOx) with pro ility — 1 2. ot tion th n mov s this singl it iff r n 

within th wor n th our wor s r sw pp y li lly. n summ riz 

th our si h r t risti s whi h hoi with pro ility — 1 2 (wh n v r g 
ov r 11 pi int xts n k y wor s) or MIX st p. h v lu o th rot tion 
p n s on th st p in whi h th h r t risti is ppli . Not th t ition 

within th su s ript o ^ is to p r orm mo ulo 16. 
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X 

o 

o 

o 

o 
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p rt rom (1) with 15 whi h hoi s with pro ility 1 th s h r- 
t risti s hoi with pro ility 12onvrg. hr r tim s wh r th 
h r t risti s o not hoi . h ollowing r th s s wh r th h r t risti 
hoi with rt inty 

n (2) i ( 2 t) (1 t) th n 1. 

n (3) i ( 3 t) OOOOx th n 1. 

n ( ) i ( 3 t) i th n 1. 

n th first MIXING roun th tt k r hoos s th pi int xt n this Hows th 
rypt n lyst to ptur som o th s sp i 1 s s in n tt k. 

S MASH 

hr r two MASHING roun s in 2 n th si MASH st p is 0 
0 3 OOSfx . iv n n input iff r n (OOOOx OOOOx OOOOx t'> 



to MASHING roun with ( t OOSfx) OOOOx th s m k y wor —will 

to oth s ts o p rti lly n rypt t . h our si us ul h r t r- 
isti s or MASH r s ollows 

( t OOOOx OOOOx OOOOx) - (OOOOx OOOOx OOOOx i) (5) 

(OOOOx OOOOx OOOOx t) - (OOOOx OOOOx t OOOOx) (6) 

(OOOOx OOOOx t OOOOx) - (OOOOx t OOOOx OOOOx) (7) 

(OOOOx t OOOOx OOOOx) - ( t OOOOx OOOOx OOOOx) (8) 
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h r t risti (5) hoi s with pro ility 1 2 uni ss 15 wh n it hoi s 
with pro ility 1 h r t risti s (7) n (8) hoi with pro ility 1 
n h r t risti (6) hoi s with pro ility 1 i { t 0x3f) OOOOx- 
oining th s our h r t risti s tog th r to p ss ross MASHING roun with 
pro ility 1 is str ight orw r . 



n this s tion w om in h r t risti s or oth MIXING n MASHING roun s 
whil moving tow r s ull n lysis o 2. will ssum th t th su k y 

wor s 0 . . . 63 r in p n nt n w im to r ov r th xp n k y 

t 1 —in our tt k. 

h h r t risti s o int r st r uilt roun singl - it iff r n s n s 
not in tion 3.1 th r r v nt g s to h ving this singl non-z ro it in 

th most signifi nt it o wor . p n ing on whi h wor — is th su j t 

0 th h r t risti w us iff r nt rot tion mounts tur uring MIXING, 

his 1 s to on itions on th position o th singl - it iff r n in th 

pi int xt th t provi som v nt g s in n tt k. noth r onsi r tion is 

th pr s n o th MASHING roun s n on im might to nulli y th ir tion. 

on - it hr t risti sp iff s n input iff r n to MASHING roun o 

t in ny on o th wor s th n provi 15 th h r t risti will p ss 

through th MASHING roun unhin r with pro ility 1.5 15 

th n th r is hr t risti th t hoi s with pro ility 12. hr r six 
MIXING roun s tw n th two MASHING roun s n so with th iff r n it 

OOOOx OOOOx OOOOx) s input to th first MASHING roun w n st lish th 
V lu s o th t r us ul to us. 

mor ur t r fi tion o th su ss o fin 1 tt k is giv n y on- 

si ring i i 10 inst o h r t risti s (whi h provi only low r 
oun to th pro ility o th iff r nti 1). n tion 3.5 w will onsi r th 

issu o iff r nti Is in mor t il ut rom this point on w will nti ip t 

1 t r n lysis y r rring to th us o iff r nti Is uring our s ription o 

th tt k. h o s rv tions provi so r How us to pr s nt in 11 th 

iff r nti Is th t r us ul to us. 



n iff r nti 1 rypt n lyti tt k th tt k r typi lly hoos s iff r nti 1 
or ( — 1) roun so n -roun lo k iph r. h tt k r th n tri s to u 
k y in orm tion rom th 1 st roun o th iph r 1 . r th most ff tiv 
tt k on 2 pp rs to r quir th t its o th su k y 0 us in th first 
MIXING roun r r ov r first. 

onsi r iff r nti 1 with input iff r n (OOOOx OOOOx OOOOx *)• h 
st rting vluso In 2r hos n so th t ( 1 t) (2 *). 

t r th first MIX st p th iff r n will (OOOOx OOOOx t OOOOx). h 

output iff r n rom th s on MIX st p will p n on th v lu o it in 
r gist r 3 . this it is z ro th n wor 1 with iff r n OOOOx will 
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a t xt 


at ta t 
a t MIXING 




a t 


(e. OOOOx OOOOx OOOOx) 


(e.. .. OOOOx OOOOx OOOOx) 






(e. OOOOx OOOOx OOOOx) 


(e.. .. OOOOx OOOOx OOOOx) 




1 


(OOOOx e. OOOOx OOOOx) 


(OOOOx e.. .. OOOOx OOOOx) 






(OOOOx e. OOOOx OOOOx) 


(OOOOx e.. .. OOOOx OOOOx) 




1 


(OOOOx e. OOOOx OOOOx) 


(OOOOx e.. .. OOOOx OOOOx) 




0 


(OOOOx OOOOx e. OOOOx) 


(OOOOx OOOOx e.. .. OOOOx) 




1 


(OOOOx OOOOx e. OOOOx) 


(OOOOx OOOOx e.. .. OOOOx) 




... 1 


(OOOOx OOOOx OOOOx e.) 


(OOOOx OOOOx OOOOx e ) 






(OOOOx OOOOx OOOOx e. ) 


(OOOOx OOOOx OOOOx e ) 




1 0 ... 



26 iff r nti Is th t r pot nti lly us ul in n tt k on 2. h 

sso i t pro iliti s r low r oun s provi y th n lysis o h r - 

t risti ont in within th sp ifi iff r nti 1. 



hos n. th rwis wor 2 with iff r n t will sit n iff r n 
will intro u into noth r wor . Not th t th v In o this it p n s on 
th pi int xt (whi h w know) n on its o th first 16- it su k y wor 0 . 

n tr th output o th s on MIX st p to th n o th p nultim t 
MIXING roun y using th iff r nti Is in 11. th p iris right p ir th n 

w nr ov r on it o in orm tion rom 0 s ollows. n ss ry on ition 

or p ir to goo p ir is th t 

t ((0(32) (9) 

(-3 1) 0) 1) 0. 

Lt 0(3 2) (“3 1) whi h w ontrol vi th hoi o 

pi int xt. h n w h V th ollowing on ition or right p ir 

( 0 ) *_ 0 . ( 10 ) 

not y th V lu riv y s tting th top ((16— ) mo 16) its o 0 
to z ro. L t t_ n 1 t th qu ntity riv y s tting th top 

((16 — 1) mo 16) its o to z ro. h n w h v th t 

( 0) 0 4^ ( ) t- . (11) 

o mount n tt k to r ov r it ( — 1) o or som giv n w n rypt 
pi int xt p irs with 0 until w o t in right p ir. n w h v right p ir 
w o s rv th V lu o . rom this w u th v lu o it ( — 1) in n 
hn in 0. nthnrpt this ppro h housing p irs with iff r nt 

V lu s to so th t in orm tion on th su k y 0 is r ov r it y it. 

y using iff r nt iff r nti Is with iff r nt v lu s o (s 1 1) w r 

1 to intro u som rror- h king into th tt k^. n this w y th its o 



No 11 v lu s o t r V 1 or us u oh wo MASHING roun s. 
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Othtwrovr n v rifi . 11 r ov r its o 0 h v to orr t 

or th n xt it o 0 n orr tly riv . Not th t In 

us ul in r u ing th pi int xt r quir m nts or iff r nti 1 tt k wh n 

mor th n on iff r nti 1 is us ul. ith us ul iff r nti Is w n sk or 

o 2" pi int xts with sp iff lly hos n iff r n s. rom th s w 
riv 2"“ pi int xt p irs or h o th h r t risti s. 

hr r m ins th issu o t ting wh n t p ir is goo p ir. 

not th t th iff r n t th st rt o th fin 1 MIXING roun h s mming 

w ight on or goo p ir. might th r or m sur th mming w ight 

o th iph rt xt n i th w ight is 1 ss th n som thr shol th p ir n 

onsi r right p ir. p n ing on th thr shol w might pt som 
wrong p irs s ing right p irs som thing th t woul provi wrong nsw r 
to th it w wish to r ov r with pro ility 12. o improv th ro ustn ss 
o th tt k on might im to oil t mor right p irs. h n th v lu o th 

it sugg st most o t n n ssum to th orr t v lu to th k y 
it w r trying to r ov r. s monstr tion w provi th su ss r t 

or iff r nt mounts o pi int xt in xp rim nts on ight-roun 2. ( hr 

r ight MIXING roun s with MASHING ins rt t r roun fiv so urs in 

2.) ision on wh th r goo p ir h o urr w s m or ing to 

wh th r th mming w ight o th iff r n in th iph rt xt w s 1 ss th n 
som thr shol . h n on v lu or th k y it h n ount mor th n 
th oth r (this iff r n ing not y ) th t v lu or th k y it w s 

s t. h ntry in th t 1 w s omput t r 20 xp rim nts. 





11 




mming 

12 


w ight 


13 


2 


90% 


2^ 


20% 


2^ • 


0% 


2 ^ 7 “ 




100% 


230 


95% 


230 


20% 


22 ■ 


8 


100% 


23 


100% 


23 


65% 


23 



s w pr viously m ntion it is iff r nti Is n th ir pro iliti s th t r fi t 
th ff tiv n ss o iff r nti Ittk. hrs hrt risti s ri s on 

sp iff volution o iff r n s through n ryption rom giv n st rting iff r- 

n th r might w 11 h v n oth r p ths through th iph r to th s m 

t rg t iff r n th n th on s ri y on p rti ul r h r t risti . ith 

2 this 1 s to p rti ul rly int r sting int r tion tw n th MIXING n 
MASHING roun s. 

irst w will onsi r in str t t rms th pro ility th t on - it i - 

r n in som wor pro us on - it iff r n in th wor d wh n w 
fin c? c or unknown oust nts n c. n ppro h might to 

onsi r this s two s p r t itions n to onsi r th int rm i t wor 

first, in on - it iff r n in pro us on - it iff r n in 
with pro ility 1 2 n on - it iff r n in provi s on - it iff r n in 

d c with pro ility 1 2 w woul s y th t th hr t risti ov r th two 
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itions h s pro ility 1 . ow v r it woul th n misl ing to us this 

h r t risti to provi n pproxim tion to th pro ility o th iff r nti 1 

rom to d. nst th pro ility o th prop g tion o on - it iff r n 

rom to (i is 1 2 sin c is fix v In . ons qu ntly th pro ility o 

th iff r nti 1 rom to d must Iso 12. 

11 th t th pro ility o th iff r nti 1 is giv n y th sum o th 

pro iliti so 11 th h r t risti s th t s tis y th iff r nti 1. y looking t 

two su ssiv itions in isol tion w in v rt ntly r stri t our tt ntion to 

singl - it iff r n s in th int rm itvlu .Lt 0— — — 1 not 

th position o th on it iff r n in . on - it iff r n in will giv 

iff r n in with mming w ight with pro ility 2“^ 1 — — 

n with pro ility or — . in this - it iff r n w s 

us y on - it iff r n in th pr vious st p^ n - it iff r n in will 

tr ns orm to on - it iff r n in d y th ition o c with pro ility 

1 2. hus w g t 

n—oc 

2~ (2"”+“ 2"^) i - 1 (12) 

h 

1 i - 1. (13) 

n pi wh r this h s n ff t is wh n MIXING roun ollows MASHING 

roun . h wor 0 ... 3 is mo iff y MASH st p in turn, t th first 

su s qu nt MIX st p 0 is mo iff y m ns o ition. y looking t th 
two itions in isol tion on un r- stim t s th pro ility o th iff r nti 1. 

n th n lysis o 2 w n to t k ount o this ff t sin it ppli s 
to som xt nt to th MIXING roun s s w 11 s uring th tr nsition tw n 
MIXING n MASHING roun s. ithin th MIXING roun s n int rm i t qu ntity 
is us s input to multipl xor un tion. his r u s th pro ility th t 

this p rti ul r h r t risti is ollow y tor o 2“^ or h multipl xor 
wh n th mming w ight o th iff r n is . w not th num r o 
multipl xing un tions tw n two su ssiv itions y th n (12) n 
r writt n s ollows 
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h 1 st pproxim tion is r son 1 or sm Ur ( — 3) ut woul 

n som orr tion or 1 rg r v In s o . or 0 12 3 (17) giv s 
121611 130 whi h shoul omp r with th r sp tiv pro iliti s 

o th h r t risti s w pr viously riv 1 1 8 1 16 1 32. n th so 

two ons utiv MIXING roun s w h v th t 3 n so th pro ility o 

on - it to on - it iff r nti 1 ross two MIXING roun s is 1 30 — 2“^ 12 0. 

h ff t w r using hr n xt n to s ri s o itions wh r y 

th int rm it v In s o int r st h v iff r n s with v ri ty o mining 

w ights V n though th st rting n n ing iff r n h v w ight on . onsi r 

thr ons utiv mixing roun s. L t on - it iff r n in th 1 tmost 

wor s o two inputs nit th position o th t it wh r 0 — — — 1. 

Ltd th iff r n in th 1 tmost wor s t r thr mixing roun s n 
suppos th t n 2 not th mming w ights o th 1 tmost wor s t r 

on r sp tiv ly two mixing roun s. h n th pro ility th t d is on - it 

iff r n n stim t s ollows wh r 3 n wh r or simpli ity w 

h V limin t th t rm or — . 



n—a n—cx. 

h. h. 



2 ” 




n—oc 



)h. 




k-\- 




(19) 



1 



2fe+)-l / \ 2 '=+)-! 



1 



(20) 



g in th fin 1 pproxim tion r quir s th t is sm 11. or 3 is 2“ (1 15)^. 

n now stim t th pro ility o th iff r nti 1 ov r thr mixing roun s 

y 2“ (1 15)^ — 1 8 — 1 3600. his xt n s sily to mor roun s n in g n r 1 

th pro ility o iff r nti 1 ov r mixing roun s is (1 15)'’“ — 1 16. Not 
th t th MASHING roun s n p ss with pro ility on . 

or mor ur t ss ssm nt slight orr tion shoul ppli or 

roun s wh r th iff r n is los to th most signifi nt it ut xp rim nt 1 
vi n giv n low sugg sts th t th xpr ssions riv r r son 1 to us . 

h num r o roun s in th t 1 r rs to th num r o MIXING roun s us 

t r fiv MIXING roun s n ition 1 MASHING roun is ins rt so urs wh n 
n rypting with 2. h fin 1 olumn is riv s n v r g ov r t 1 st fiv 

s ts o xp rim nts or h row. 
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222 


78 


79 
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22 
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23 


12 
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Not th t th pro ility o th iff r nti 1 o t in in this s tion o s not 

t k into ount t xt p irs whi h h v int rn 1 iff r n s in mor th n on wor 

or th y r syn hroniz . his w s o s rv o sion lly uring xp rim nts 
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ut s s wh r iff r n s in mor th n on wor r syn hroniz r r r n 

w ignor th ir imp t on our stim t s. 



rriv t th ollowing stim t s or th t r quir to r ov r in orm tion 
out th su k y 0 . n this su k y wor h s n r ov r th tt k 

is r p t on wh t woul now om r u v rsion o 2. h n w 
t k into ount th k y-r ov ry t hniqu s o tion 3. w stim t th t 

iff r nti 1 tt k on 2 with MIXING roun s (in In ing th MASHING roun s) 
r quir s t most 2 ’’ hos n pi int xts. n tt k on 2 with 16 MIXING roun s 
r quir s us o iff r nti 1 with pro ility t 1 st 2“ ( t 1 st sin w 

h V not y t ount or su h ph nom n s on - it iff r n in th most 

signifi nt it t MIXING roun ). n this r g r 2 with 16 MIXING roun s 
omp r s vor ly to (2 ^ p irs 1 ) n 12-roun 5 (2 p irs 3 ). t is 
ir to o s rv how v r th t 2 is not st iph r n n optimiz v rsion 
o n 12-roun 5 r oth lik ly to st r th n 2. 



Lin r rypt n lysis h s provi th st th or ti 1 tt k on in t rms o 

t r quir m nts 9 . ow v r its us uln ss on oth r iph rs is o t n limit 
h im o su h n tt k is to r 1 t its o th pi int xt n iph rt xt to its 

0 th k y vi lin r qu tion whi h hoi s with som pro ility . u h n 
pproxim tion n g n r lly us to provi n stim t or on it o th k y 
n mor v n t hniqu s r v il 1 to xtr t mor k y in orm tion 9 . 

n pproxim tion hoi s with pro ility th n th import nt qu ntity or th 

rypt n lyst is th solut v lu o th i s o th pproxim tion 1 2— 

ypi lly th t r quir to us su h n pproxim tion is giv n y c — 
known pi int xts or som sm 11 oust nt c 9 . 

h MIX st p in 2 is 0 0 ( 3 2 ) (“ 3 1 ). 

ross int g r ition th st lin r pproxim tion involv s th 1 st signi - 

1 nt it o h qu ntity n will hoi with pro ility on . h multipl xor 

un tion ( 3 2) (“ 3 l)hslinr pproxim tions o v rying 

us uln ss. h solut v lu o th high st non-trivi 1 i s is 1 wh n v r- 

g ov r 11 pi int xts. n slight us o not tion w will onsi r 16- it 

wor s V tor in 2 ^ n us th 16- it qu ntity to in i t th 

its o th t r to us in lin r pproxim tion. his is most onv ni ntly 
s ri y m ns o th s 1 r pro u t o two v tors, hus th -0 1— v tor 

will us to not th sp iff its o to us in n pproxim tion 

n — is th V lu o th s its om in using x lusiv -or. s ul lin r 
pproxim tions ross th multipl xor r o th orm 



1 

2 



1 - 
2 - 



3 

3 
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wh r wt( ) 1 . or g n r lly pproxim tions to th multipl xor un tion 

with non-z ro i s h v th orm 



-1-/3-2-7-3 (21) 

wh r is th itwis in lusiv -or o n /3 n 7 is ith r 0 or it onsists o 
on s in positions wh r ith r or /3 h v on s. h gr t r th v In o wt( 7 ) 
th low r th solut v In o th i s o th pproxim tion. 

h ollowing pproxim tion to th first MIX st p (whi h in In s th y li 
sw p o th — wor s) might us ul 

^3^^) o^O )-o^ )-o -2 . 

his h s iso solut v In 1 . h ollowing st ps r quir no pproxim - 

tion n th r pp rs to no tt r non-trivi 1 lin r pproxim tions or 

ompl t MIXING roun . might illustr t this pproxim tion in th ollowing 
w y 

0 12 3 



— 1 2 
— 1 2 
— 1 2 

n ontinuing this pproxim tion into th n xt MIXING roun w woul 
or to pproxim t th it 0 . n int g r ition involv s th su - 

k y wor n p n ing on this v In th i s o th pproxim tion will 

V ry . h s on int g r ition involv s th output rom th multipl xor un - 
tion. y th on itions giv n ov this pproxim tion must involv 1 or 

2 n w n onstru t th ollowing pproxim tions or th s on n 
thir MIXING roun s. r w ssum th t th i s o th pproxim tion ross 
th multipl xor un tion is t most 1 . imil rly w ssum th t th i s o th 
pproxim tion ross th int g r ition is t most 1 . his o urs in pprox- 

im ting st ps 1 n 3 n th v lu o — is giv n or thos st ps in ivi u lly. 

0 1 

1 



— 2 



h typi 1 w y to m sur th ff tiv n ss o lin r rypt n lysis is to pp 1 
to th so- 11 t z 8 . y oing this w r 1 to stim t i s 

No h h whol ssu oky pn n nln r ryp n lys s s ompl x on 
h s r r ly r ss n 1. 



1 2 

1 8 

1 2 
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o — 2“^ — 2“^ — 2“^ — 2^ 2“® or our pproxim tion to th first two MIXING 

roun so 2.nth so 2 how v r routin us o th piling-up 1 mm 
n 1 to misl ing r suits. 

s n X mpl suppos th t th two su k ys us in st ps on n thr o 
roun two r z ro. n isol tion th pproxim tion to st p on ( s y) hoi s 
with pro ility 5 8. n st p thr w fin th t th s on pproxim tion ( 2 
s y) involv s its th t pr viously t rmin wh th r hi. n lysis shows 

th t th pro ility th t 2 hoi s giv n th t hi is 13 20 n not 5 8 wh n 

2 is onsi r in isol tion. urth rmor th pro ility th t 2 o sn t hoi 
wh n o sn t hoi is 5 12 inst o 3 8. o wh n th two pproxim tions 
r om in th pro ility th t th om in pproxim tion to roun two 

hoi s is (5 8— 13 20) (3 8 — 5 12) 9 16 whi hi s to i s o 1 16. his 

is gr t r th n th 1 32 pr i t y us o th piling-up 1 mm . 

u h o th ompli t int r tion tw n th two pproxim tions is u 

to th rol o ition in th iph r. s n x mpl i w suppos th t p- 

proxim tion hoi s th n it n shown th t th pro ility th t th 1 st 
signifi nt it o 2 is qu 1 to z ro is 11 20. in this it pi ys pivot 1 rol 

in t rmining wh th r 2 hoi s it is no surpris th t th piling-up 1 mm giv s 

misl ing r suits. 

or th us r o 2 th r is ir umst nti 1 vi n th t lin r rypt n 1- 
ysis is unlik ly to pos thr t to 2. u h tt ks pp r to in ff tiv 

or iph rs th t mix int g r ition n itwis op r tions uni ss th pproxi- 

m tion n limit to th 1 st signifi nt its ross n ition 6 . u h 
r stri tion pp rs unlik ly s n xt nsion o th urr nt pproxim tion into 
thir MIXING roun illustr t s 



1 

2 

3 



2—3 



2—3 



1 16 

— 1 2 

1 128 

— 1 2 



N V rth 1 ss th r r ompl x int r tions tw n th in ivi u 1 st ps o 

2 n th s o t n provi unintuitiv r suits, n p rti ul r w h v is ov r 

s s wh r ing non-trivi 1 pproxim tion to n xisting pproxim tion 
tu lly oosts th solut v lu o th i s. ( u h n x mpl n oun 
in st p 3 ov wh n th su k ys in 11 roun s r s t to z ro.) n r su h 

ir umst n s th tru ff tiv n ss o lin r rypt n lysis in tt king 2 h s 

to r m in n op n pro 1 m. 



C 

n this p p rw h V s ri th lo k iph r 2. hil th iph risp rh ps 
slow r th n oth r It rn tiv s v il 1 to y it os pp r to off r ff tiv 
r sist n to iff r nti 1 rypt n lysis, ur tt mpts to pply lin r rypt n 1- 

ysis to 2 h V provi som intriguing insights ut r s y t insuffi i nt to 
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t rmin th tu 1 r sist n o 2 to lin r rypt n lysis; this r 
op n pro 1 m. t is import nt th t 2 ontinu s to om un r los 
rom th rypt n lyti ommunity. 
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or m ny ppli tions th t n ryption t n r Igorithm is n ring th 
n of its us ful lif . ts 56- it k y is too sm 11 s shown y r nt istri ut 
kys rhxris 1. Ithough tripl - n solv th k y 1 ngth pro 1 m 

th Igorithm w s Iso sign prim rily for h r w r n ryption y t th 

gr t m jority of ppli tions th t us it to y impl m nt it in softw r wh r 
it is r 1 tiv ly in fh i nt. 

or th s r sons th tion 1 nstitut of t n r s n hnology 

h s issu 11 for su ssor Igorithm to 11 th 

or • • • . h ss nti 1 r quir m nt is th t shoul oth f st r 

n mor s ur th n tripl ; sp ifi lly it shoul h v 1 it lo k 

1 ngth n k y 1 ngth of 56 its (though k ys of 1 n 19 its must Iso 
support ). 

n this pprwprsnt ni t for . Our sign philosophy h s 
n highly ons rv tiv ; w i not f 1 it ppropri t to us nov 1 n un- 

t st i s in iph r whi h if pt ft r short r vi w p rio will 
us to prot t normous volum s of fin n i 1 tr ns tions h 1th r or s n 

gov rnm nt inform tion ov r p rio of s. 

th r for i to us th - ox s from whi h h v n su - 

j t to int ns stu y ov r m ny y rs n whos prop rti s r thus w 11 

un rstoo in n w stru tur whi h is optimiz for ffi i nt impl m nt tion 

on mo rn pro ssors whil simult n ously llowing us to pply th xt nsiv 
n lysis Ir y on on . s r suit w n show th t our sign r sists 
11 known tt ks in lu ing thos s on oth i r nti 17 n lin r 
t hniqu s. 

u y t tw y t 72 222 2 
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propos s V r 1 v ri nts of th iph r whi h w h v t nt tiv ly n m 
rp nt. h prim ry v ri nt is 3 -roun iph r whi h w li v to s 
s ur s thr -k y tripl - ut whi h is only slightly slow r th n wh n 

impl m nt in on ntium (in som ss m ly 1 ngu g s it m y f st r 
th n ). t is n -n twork op r ting on four 3 - it wor s thus giving 
lo k siz of 1 its. 

h ition 1 V ri nts h v in r s lo k siz s. h lo k siz n 

ou 1 to 56 its ith r y in r sing th wor siz from 3 to 6 its (whi h 

will w 11 suit to th n w g n r tion of 6 - it pro ssors) or y using th 

roun fun tion in ist 1 onstru tion. h s two v ri nts n om in to 

giv iph r with 51 - it lo ks. 

t this st g 11 th V ri nts r still t nt tiv . r still working on 

improv m nts n n lysis, s usu 1 in this fi 1 w n our g int r st p rti s 

to n lyz th iph r inform us of ny w kn ss n p ss on ny r m rks or 
sugg stions for improv m nts. 

11 V lu s us in th iph rs r r pr s nt in littl - n i n in lu ing th 
it or r ( 31 in 3 - it wor s or 1 7 in th full 1 - it lo ks) n th 

or r of wor s in th lo k. hus it is th 1 st signifi nt it n wor 
is th 1 st signifi nt wor . h not tion is import nt s th r r two 
quiv 1 nt r pr s nt tions of rp nt st n r r pr s nt tion n itsli 
r pr s nt tion. 



h m in V ri nt of our iph r n rypts 1 - it pi int xt * to 1 - it 

iph rt xt * in * roun s un r th ontrol of* 11 -itsukys 

( h V hos n • 3 s th f ult n will h n forth r pi • y 3 in 

or r to m k th s ription of th iph r mor r 1 .) 
h iph r is n -n twork n onsists of 

n initi 1 p rmut tion * * ; 

3 roun s h onsisting of k y mixing op r tion p ss through - ox s 

n (in 11 ut th 1 st roun ) lin r tr nsform tion. n th 1 st roun 

this lin r tr nsform tion is r pi y n ition Iky mixing op r tion; 
fin 1 p rmut tion * * . 

h initi 1 n fin 1 p rmut tions o not h v ny ryptogr phi signifi n . 
h y r us to simplify n optimiz impl m nt tion of th iph r whi h 
is s ri in th n xt s tion n to improv its omput tion 1 fh i n y. 

oth th s two p rmut tions n th lin r tr nsform tion r sp ifi in th 

pp n ix; th ir sign prin ipl s will m 1 r in th n xt s tion. 

us th following not tion. h initi 1 p rmut tion * * is ppli to th 
pi int xt * giving * whi h is th input to th first roun . h roun s r 

num r from to 31 wh r th first roun is roun n th 1 st is roun 31. 

h output of th first roun (roun ) is * th output of th s on roun 
(roun 1) is * 2 th output of roun • is * . n so on until th output of th 
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1 st roun (in whi h th lin r tr nsform tion is r pi y n ition Iky 

mixing) is not y * 2 - h fin 1 p rmut tion * * is now ppli to giv th 
iph rt xt * . 

h roun fun tion *.(* 31 uss only singl r pli t - ox. 

or X mpl • us s * 3 opi s of whi h r ppli in p r 11 1. hus th first 

opy of * t k s its 1 n 3 of * * s its input n r turns s output 

th first four its of n int rm i t v tor; th n xt opy of* inputs its 7 of 

* * nr turns th n xt four its of th int rm i t v tor n so on. h 

int rm i t v tor is th n tr nsform using th lin r tr nsform tion giving 

* . imil rly * us s 3 opi s of * in p r 11 1 on * * n tr nsforms 

th ir output using th lin r tr nsform tion giving * 2 - 

n th 1 st roun * w pply * on * * n O th r suit 

with * 2 r th r th n pplying th lin r tr nsform tion. h r suit * 2 is th n 

p rmut y * * giving th iph rt xt. 

hus th 3 roun s us 3 i r nt - ox s h of whi h m ps four input 
its to four output its. h - ox is us only in on roun in whi h it is 
us 3 tim s in p r 11 1. h 3 - ox s r hos n s th 3 s p r t lin s of 

th ight - ox s; thus our • (us in roun ) is th first lin of th 

* 1 our • (us in roun 1) is th s on lin of th *1 our • (us in 

roun ) is th first lin of th • n so on. 

s with th initi 1 p rmut tion is th inv rs of th fin 1 p rmut tion. 

hus th iph r m y form lly s ri y th following qu tions 



wh r 



• •• (• ) 

• •(* •) 

• *•-(*•) 

* •(* ) * ( •(* * •)) 

*.(• ) .(• ..)*.* *-l 



wh r . is th ppli tion of th - ox * . 3 tim s in p r 11 1 n * is th 
lin r tr nsform tion. 

Ithough h roun of th propos iph r might s m w k r th n roun 

of w sh 11 s low th t th ir om in tion ov r om s th w kn ss. h 

gr t r sp of h roun n th in r s num r of roun s m k th 

iph r oth Imost s f st s n mu h mor s ur . 



2 y t 

ryption is i r nt from n ryption in th t th inv rs of th - ox s must 
us s w 11 s th inv rs lin r tr nsform tion n r v rs or r of th 
su k ys. 
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a 

Mu h of th motiv tion for th ov sign will om 1 r s w onsi r 
how to impl m nt th Igorithm fh i ntly. o this in itsli mo . or 
full s ription of itsli impl m nt tion of s 9 ; th si i is th t 

just s on n us 1- it pro ssor to impl m nt n Igorithm su h s 

y X uting h r w r s ription of it using logi 1 instru tion to mul t 

h g t so on n Iso us 3 - it pro ssor to omput 3 i r nt 
lo ks in p r 11 1 — in t using th s 3 -w y M m hin . 

his is mu h mor fh i nt th n th onv ntion 1 impl m nt tion in whi h 
3 - it pro ssor is mostly i 1 s it omput s op r tions on 6 its its or 
V n singl its. h itsli ppro h w s us in th r nt su ssful k y 

s r h in whi h sp r y 1 s from thous n s of m hin s w r volunt r 

to solv h 11 ng pos y . ow v r th pro 1 m with using itsli 

t hniqu s for n ryption ( s oppos to k ys r h) is th t on h s to 

pro ss m ny lo ks in p r 11 1 n Ithough sp i 1 mo s of op r tion n 

sign for this th y r not th mo s in ommon us . 

Our iph r h s th r for n sign so th t 11 op r tions n x ut 

using 3 -fol p r 11 lism uring th n ryption or ryption of singl lo k. 
n th itsli s ription of th Igorithm is mu h simpl r th n its onv n- 
tion 1 s ription. o initi 1 n fin 1 p rmut tions r r quir sin th initi 1 

n fin 1 p rmut tions s ri in th st n r impl m nt tion ov r just 

th onv rsions of th t from n to th itsli r pr s nt tion. will now 

pr s nt n quiv 1 nt s ription of th Igorithm for itsli impl m nt tion. 

h iph r onsists simply of 3 roun s. h pi int xt om s th first 
int rm it t * * ft r whi h th 3 roun s r ppli wh r h 

roun • 31 onsists of thr op r tions 

1. y Mixing t h roun 1 - it su k y * . is x lusiv or’ with th 

urr nt int rm it t * . 

ox s h 1 - it om in tion of input n k y is onsi r s four 

3 - it wor s. h - ox whi h is impl m nt s s qu n of logi 1 

op r tions ( s it woul in h r w r ) is ppli to th s four wor s n 

th r suit is four output wor s. h is thus mploy to x ut th 

3 opi s of th - ox simult n ously r suiting with . (• . • . ) 

3. Lin r r nsform tion h 3 its in h of th output wor s r lin rly 
mix y 



2 



2 



* 2 * * * 
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• • • • • 

• • • • • 'J 

• • • • 

• 2 * 2 * (* * * 7 ) 

• • • • • 5 

• 2 * 2 * * * 

* • 2 ** 

wh r • • • not s rot tion n • • not s shift, n th 1 st roun this lin r 

tr nsform tion is r pi y n ition Iky mixing * . 

• ._ ) • ot th t t h st g •• (• .) • . n •• (• .) • 

h first r son for th hoi of lin r tr nsform tion is to m ximiz th 

vlnh t. h -oxshvth prop rty th t singl input it 

h ng will us two output its to h ng ; s th i r n s ts of 13 5 
7 13 mo ulo 3 h V no ommon mm r ( x pt on ) it follows th t 

singl input it h ng will us m xim 1 num r of it h ng s ft r two n 

mor roun s. h t is th t h pi int xt it n h roun k y it t 
11 th t its ft r thr roun s. v n if n oppon nt hoos s som su k ys 
n works kw r s it is still th s th t h k y it ts h t it 
ov r six roun s. ( om histori 1 inform tion on th sign of th ov lin r 
tr nsform tion is giv n in th pp n ix.) h s on r son is th t it is simpl 
n n us in pip lin pro ssor with minimum num r of pip lin 

st 11s. h thir r son is th t it w s n lyz y progr ms w v lop for 

inv stig ting lo k iph rs n w foun oun s on th pro iliti s of th 

i r nti 1 n lin r h r t risti s. h s oun s show th t this hoi suits 

our n s Ithough w woul lik to improv on it. 

o w r still onsi ring oth r simpl r hoi s for th lin r tr nsfor- 

m tion. On possi ility is to pt n L -lik tr nsform of th form * . 

* . OL(* — **.)for* 1 6 wh r th four t wor s r 

th in i s of * r t k n mo ulo n th *.’s r fix . h pro 1 ms with 

su h s h m r th t it is h r to pip lin n th t v ry h r t risti n 

rot t in 11 its wor s n still r m in with th s m pro ility. r 
still working on oth r possi 1 lin r tr nsform tions. 



s with th s ription of th iph r w n s ri th k y s h ul in ith r 
st n r or itsli mo . or r sons of sp w will giv th su st ntiv 
s ription for th 1 tt r s . 

Our iph r r quir s 13 3 - it wor s of k y m t ri 1. first xp n th 
us r suppli 56 it k y • to 33 1 - it su k ys * ... * 2 in th following 

w y. writ th k y * s ight 3 - it wor s*_ ... *_ n xpnths 

to n int rm it k y (whi hw 11 )* ... * yth following 

fhn r urr n 
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wh r • is th fr tion 1 p rt of th gol n r tio ( 5 1)* or 

in h X im 1. h un rlying polynomi 1 * * ^ * * 1 is primitiv 

whi h tog th r with th ition of th roun in x is hos n to nsur n v n 
istri ution of k y its throughout th roun s n to limin t w k k ys n 
r 1 t k ys. 

h roun k ys r now 1 ul t from th pr k ys using th - ox s g in 

in itsli mo . h - ox inputs n outputs r t k n t ist n of 33 

wor s p rt in or r to minimiz th k y 1 k g in th v nt of i r nti 1 
tt k on th 1 st f w roun s of th iph r. us th - ox s to tr nsform 

th pr k ys * . into wor s * . of roun k y y ivi ing th v tor of pr k ys into 

four s tions n tr nsforming th *’th wor s of h of th four s tions using 
• . . . his n s n simply for th f ult s * 3 s follows 





• • • 


•• 66 ** 


* ( 66 ** ) 






• • • 


•* 67 ** 


* 2 ( 67 ** ) 






• **6 


• • y * • 


* (* ** 6 ** 7 ** ) 






• 2**6 


• • • • 


* (* 2 ** 6 ** ** ) 




th n r num r th 


3 - it V lu s • . si - it su k ys • . (for i 




r ) s follows 












• 


• • 


• . . 2 ** • 


(1) 


h r w 


r impl m 


nting th 


Igorithm in th form initi lly s ri 


in 


s tion ov 


r th r th 


n using 


itsli op r tions w now pply * * to 


th 


roun k y in or 


r to pi 


th k y 


its in th orr t olumn i. . * . * * (* 





s m ntion ov th i r nti 1 n lin r prop rti s of th - ox s 

r w 11 un rstoo . Our pr limin ry stim t s in i t th t th num r of 
known/ hos n pi int xts r quir for ith r typ of tt k woul x ^ 

(th y r rt inly w 11 ov r n w r working on mor ur t oun s). 

h r is thus no in i tion of ny us ful short ut tt k; w li v th t su h 
n tt k woul r quir n w th or ti 1 r kthrough. n ny s it shoul 
not th t r g r 1 ss of th sign of 1 it lo k iph r it is norm lly 
pru nt to h ng k ys w 11 for ® lo ks h v n n rypt in or r 
to voi th ollision tt k of s tion 5. low. his woul sily pr v nt 11 
known short ut tt ks. 
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sign th iph r with vi w to r u ing or voi ing vuln r iliti s 
rising from th following possi 1 w kn ss s n tt ks. n our n lysis w 

us ons rv tiv oun s to n 1 our 1 ims to r sist r son 1 improv m nts 
in th stu i tt ks. or x mpl w n lyz th iph r using -roun n 

-roun h r t risti s short r y n roun s th n th iph r whil th 
st tt k on us s h r t risti s th t r short r y only thr roun s. 

Our stim t s of th pro iliti s of th st h r t risti s r Iso v ry ons r- 
V tiv ; in pr ti th y shoul onsi r ly low r. hr for our ompl xity 

1 ims r pro ly mu h low r th n th r 1 v lu s n rp nt is xp t to 

mu h mor s ur th n w tu lly 1 im. 

t y tt 

s th lo k siz is 1 its i tion ry tt k will r quir ^ i r nt pi in- 

t xts to How th tt k r to n rypt or rypt r itr ry m ss g s un r n 

unknown k y. his tt k ppli s to ny t rministi lo k iph r with 1 - it 

lo ks r g r 1 ss of its sign. 

2 O t 

ft r n rypting out ® pi int xt lo ks in th or mo on 

n xp t to fin two qu 1 iph rt xt lo ks. his n Is n tt k r to 

omput th X lusiv -or of th two orr spon ing pi int xt lo ks 1 . ith 

progr ssiv ly mor pi int xt lo ks pi int xt r 1 tionships n is ov r 

with progr ssiv ly high r pro ility. his tt k ppli s to ny t rministi 

lo k iph r with 1 - it lo ks r g r 1 ss of its sign. 

y tt 

or k y siz • k y ollision tt ks n us to forg m ss g s with ompl xity 
only ‘ ‘ ^ 5 . hus th ompl xity of forging m ss g s un r 1 - it k ys is only 

® un r 19 - it k ys it is ® n un r 56- it k ys it is ^ . his tt k 

ppli s to ny t rministi lo k iph r n p n s only on its k y siz 
r g r 1 ss of its sign. 

t y t y 

n import nt f t out rp nt is th t ny hr t risti must h v t 1 st 

on tiv - ox in h roun . t 1 st two tiv - ox s r r quir on 

V r g u to th prop rty th t i r n in only on it in th input us s 
i r n of 1 1 st two its in th output of h - ox. h r for if only on 

it i rs in th input of som roun th n t 1 st two i r in th output n 
th s two its t two istin t - ox s in th following roun whos output 
i r n s t t 1 st four - ox s in th following roun . 

s r h for th st h r t risti s of this iph r. or this w m 
worst s ssumption th t 11 th ntri s in th i r n istri ution t Is 
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h V pro ility 1/ x pt th f w ntri s whi h h v only on it input i - 
r n n on it output i r n whi h r ssum impossi 1 (pro ility 

z ro). h s oun s r s tisfi y 11 th - ox s x pt for on ntry of* 

wh r th m xim 1 v lu is 1 /16 th high st pro iliti s in th v rious - ox s 

r 6* 16 n * 16 x pt in * 2 in whi h it is * 16 n in * in whi h it is 

1 * 16. ssum 1 t r th t roun 3 is not pproxim t y th h r t risti 
nyw y. hus th following r suits hoi in p n ntly of th or r of th - ox s 

us in th iph r n in p n ntly of th hoi of th - ox s so long s 

th y s tisfy th s minim 1 on itions. s r h for th st h r t risti s 
with up to s V n roun s n th on s with th high st pro iliti s r giv n 
in 11. 
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oun s on th ro 


iliti 


s of i 


r nti 1 


n 


Lin 


r h 



ns th t th pro ility of 6-roun hr t risti is oun y 

. hus th pro ility of -roun h r t risti is oun y ~ ^ 

“ ® . n pr ti th pro ility of th st -roun h r t risti is xp t 

to mu h low r th n this, hus v n if n tt k r n impl m nt n 

tt k still th tt k r quir s mor th n ^ hos n pi int xts ( n g in 

this is V ry ons rv tiv stim t ). f th tt k r n impl m nt only 

tt k using -roun h r t risti th pro ility of th h r t risti is 

oun y “ “ n th tt k r quir s mor pi int xts th n r 

V il 1 . 3 - tt k woul r quir v n mor pi int xts. 

oti th t if th lin r tr nsform tion h us only rot t s th n v ry 
h r t risti oul h v 3 quipro 1 rot t v ri nts with 11 th t 

wor s rot t y th s m num r of its. his is th r son th t w Iso us 

shift instru tions whi h voi most of th s rot t h r t risti s. 

h V oun th pro iliti s of h r t risti s. ow v r it is oth 

mu h mor import nt n mu h mor iffi ult to oun th pro iliti s of 

i r nti Is. n or r to r u th pro iliti s of i r nti Is w h v (1) 

r u th pro iliti s of th hr t risti s ( ) nsur th t th r r f w 

h r t risti s with th high st possi 1 pro ility n th t th y nnot 

rot t n still r m in v li (3) rr ng for h r t risti s to t m ny 

i r nt its so th t th y nnot sily unifi into i r nti Is. 
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onj tur th t th pro ility of th st -roun i r nti 1 is not 

high r th n “ ^ n th t su h i r nti 1 if it xists woul v ry h r to 
fin . ( ot th t for ny fix k y th r xp t to i r nti Is with pro 
ility “ ^ ut V r ging ov r 11 possi 1 k ys r u s this v r g pro ility 

to out “ ^ 

y t y 

n lin r rypt n lysis it is possi 1 to fin on - it to on - it r 1 tions of th 
ox s. h pro ility of th s r 1 tions r 1* • 16. hus -roun lin r 

h r t risti with only on tiv - ox in h roun woul h v pro ility 

1* *16)^ 1* “ ^ n th t n tt k s on su h r 1 tions 

woul r quir out known pi int xts if it w r possi 1 t 11 ( s th 

lin r tr nsform tion ssur s th t in th roun following roun with only on 

tiv - ox t 1 st two r tiv ). 

Mor g n r 1 tt ks n us lin r h r t risti s with mor th n on tiv 

- ox in som of th roun s. n this s th pro iliti s of th - ox s r 

oun y 1* 6* 16. s with i r nti 1 rypt n lysis w n oun th 

pro ility of h r t risti s. s r h for th st lin r h r t risti of 
this iph r un r th ssumptions th t pro ility of ny ntry is not furth r 

from 1/ th n 6* 16 n th t th pro ility of hr t risti whi h r 1 t s on 

it to on it is not furth r from 1/ th n *16. ot th t u to th r 1 tion 

tw n lin r n i r nti 1 h r t risti sth s rhs r vry simil r; w 

tu lly mo ifi th s r h progr m us in th i r nti 1 s to s r h for 

th st lin r h r t risti s with up to s v n roun s n thos with th high st 

pro iliti s r giv n in 11. 

ns th t th pro ility of 6-roun hr t risti is oun y 

- 2-2 n on lu th t th pro ility of -roun 

h r t risti is oun y 1* “ ‘ . h pro ility of -roun h r - 

t risti is oun y 1* “ n n tt k s on it woul r quir t 

1 st known pi int xts. g in w wish to mph siz th t 11 th s figur s 
r ons rv tiv low r oun s n th t th tu 1 ompl xiti s of tt ks r 

xp t to su st nti lly high r. 

s on th s figur s w onj tur th t th pro ility of th st -roun 

lin r i r nti 1 is oun y 1* “ so n tt k woul n t 1 st 

lo ks. g in this is v ry ons rv tiv stim t ; w li v th r 1 figur 
is ov r ^ n th t lin r tt ks r thus inf si 1 . r working on mor 

ur t figur s; m ntim th norm 1 pru nt pr ti of h nging k ys w 11 
for ® lo ks h V n n rypt will pr v nt lin r tt ks. 

6 O t y t y 

t is w 11 known th t * th or r i r nti 1 of fun tion of nonlin r or r * is 
onst nt n this n xploit in high r or r i r nti 1 tt ks 17 19 . 

h - ox s 11 h V nonlin r or r 5 1 . rom this on woul xp t 

th t th nonlin r or r of th output its ft r * roun s is out 3" with th 
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m ximum v lu of 1 7 r h 1 ft r fiv roun s. hr for w r onvin 

th t high r or r i r nti 1 tt ks r not ppli 1 to rp nt. 



u t t y t y 

or som iph rs it is possi 1 n v nt g ous to pr it only th v lu s of 
p rts of th i r n s ft r h roun . his notion of trun t i r nti 1 
tt ks w s intro u y nu s n in 17 . ow v r th m tho s ms st 

ppli 1 to iph rs wh r 11 op r tions r on on 1 rg r lo ks of its. 

us of th strong i usion ov r m ny roun s w li v th t trun t 
i r nti 1 tt ks r not ppli 1 to rp nt. 



t y 

s th k y s h ul us s rot tions n - ox s it is highly unlik ly th t k ys 

n foun th t How r 1 t k y tt ks 15 16 . Mor ov r i r nt roun s 

of rp nt us i r nt - ox s so v n if r 1 t k ys w r foun r 1 t -k y 

tt ks woul not ppli 1 . 

rp nt h s non of th simpl r vuln r iliti s th t nr suit from xploi- 
t 1 symm tri s in th k y s h ul th r r no w k k ys s mi-w k k ys 

quiv 1 nt k ys or ompl m nt tion prop rti s. 

Ot tt 

vi s’ tt k 1 13 n th mprov vi s tt k 6 r not ppli 1 
sin th - ox s r inv rti 1 n no upli tions of t its r ppli 

s f r s w know n ith r st tisti 1 rypt n lysis nor p rtitioning 
rypt n lysis 1 provi s 1 ss ompl x tt k th n i r nti 1 or lin r ryp- 

t n lysis. 



0 ut y 

h V not n on rn in this sign to uil in ny p rti ul r prot tion 
g inst tt ks s on in u f ults Slll.fnttkr n progr s- 

siv ly r mov th m hin instru tions y whi h this iph r is impl m nt 

or progr ssiv ly stroy si t g t s or progr ssiv ly mo ify th its of th 
k y r gist r th n h n 1 rly xtr t th k y. t n to th vi w th t n 

tt k r with th ility to insp t or mo ify th impl m nt tion t il will h v 

m ny tt ks s not just on ompromising k ys ut on su v rting proto ols 
xtr ting pi int xt ir tly n so on . h m h nisms r quir to prot t 

g inst su h tt ks r 1 rg ly in p n nt of th sign of ny lo k iph r 
us 1 n r thus yon th s op of this work. 
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impl m nt this iph r on 133M z ntium/MM pro ssor. 3 - 
roun itsli (unoptimiz ) impl m nt tion ( v il 1 onlin from th uthors’ 
w p g s) g V sp s whi h r only slightly slow r th n it n rypt 

976 157 its p r s on whil th st optimiz impl m nt tion ( ri 

oung’s Li s) n rypts 9 6 its p r s on on th s m m hin . 

h p rform n of th iph r on oth r pro ssors in itsli mo shoul 
only slightly slow r th n th st n r impl m nt tion of . h n o in 
ss m ly 1 ngu g this iph r might vnfstrthn .ttks som wh t 

ov r instru tions to n rypt 1 its v rsus typi lly 7 instru tions to 

n rypt 6 its in .hr son our iph r is not 5 % slow r is th t it h s 
n sign to m k goo us of pip lining. 

h instru tion ount is s on th o s rv tion th t g t ir uit of ny 

of th X - ox s r quir s tw n 19 n g t s on th ntium tw n 1 

n on MM (using only MM instru tions) n tw n 1 n 5 on th 
Iph (th num rs v ry u to th i r nt s ts of instru tions whi h 

r t il in th pp n ix). MM h s th ition 1 v nt g th t it n 

op r t on 6 - it wor s or It rn tiv ly on two 3 - it wor s t on (so two 
n ryptions n on in p r 11 1 using th s m or i r nt k ys). t is Iso 

impl m nt with gr t r p r 11 lism on som r nt hips ( .g. th ntium ). 

On th oth r h n it os not h v rot t op r tions so rot t s r quir four 

instru tions ( opy shift 1 ft shift right n O ). 

t is Iso worth r m rking th t if this iph r is opt s th v n 
n ryption t n r n hip m k rs wish to support high sp impl m nt - 
tion th n it m y not n ss ry to h r w r n ryption ir uit to th 

. t woul suffi i nt to wh t w 11 th L instru tion’. 

his X ut s n r itr ry ool n fun tion on four r gist rs un r th ontrol 

of truth t 1 no in (6 - it) fifth r gist r. stim t th t th ost 

of impl m nting this on n * - it pro ssor will only out 1 * g t s n 

it woul h V m ny us s oth r th n ryptogr phy ( n x mpl woul im g 
pro ssing). f support on L instru tion woul r pi most of th 

instru tions in h roun n rp nt woul om two or thr tim s f st r 
th n 

t is Iso worth noting th t h r w r impl m nt tions of th iph r n 

it r tiv ly pply on roun t tim Ithough th - ox s in h roun r 

i r nt. h tri k is simil r to th L instru tion th sign rs of 

th h r w r n sign th roun fun tion to g t s ription of th - ox s 
s p r m t r in som r gist r n omput th - ox s or ing to this 
s ription. his tri k ru i lly r u s th num r of g t s r quir for th 

h r w r impl m nt tion of th iph r. n stim t of th g t ount will 

provi in th full su mission. 
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a a 

s w r m rk ov th r r two w ys in whi h th lo k siz n ou 1 

1. in r s th wor 1 ngth (in th itsli impl m nt tion) from 3 to 6 its 
(or mor ); 

s th roun -fun tion s th * -fun tion in ist 1 onstru tion. 

f oth of th s r on th n th lo k siz will qu rupl . 
h s V ri nts might r quir oth r mo ifi tions of th iph r su h s mo- 

ifi tions in th rot tion onst nts. li v th t th s v ri nts r s ur 

(or n sily m so), ork on th m is ongoing. 



h V pr s nt iph r whi h w h v ngin r to s tisfy th r qui- 

r m nts. t is out s f st s n onj tur to s s ur s thr -k y 

tripl . ts s urity is p rti lly s on th r us of th thoroughly stu i 
ompon nts of n thus n r w on th wi lit r tur of lo k iph r 

rypt n lysis pu lish in th 1 st . ts p rform n om s from llowing 

n fh i nt itsli impl m nt tion on r ng of pro ssors in lu ing th m rk t 
1 ing nt 1/MM n omp ti 1 hips. 

his is still pr limin ry sign n m y h ng tw n th tim of writing 

n th fin 1 su mission. rs r invit to tt k th iph r to t st 

impl m nt tions in v rious nvironm nts n to r port ny int r sting fin ings 
to th uthors. p t nt ppli tion h s n fil ut it is our int ntion to 
gr nt worl wi roy Ity-fr li ns for onforming impl m nt tions in th 

V nt th t this iph r is opt s th v n n ryption t n r . 

in lly up to t inform tion on rp nt in lu ing th 1 t st r vision of 
th p p r n foun on th uthors’ horn p g s 



h first uthor w s support y nt 1 orpor tion uring visit to m ri g 
in pt m r 1997 whil mu h of this work w s on ; n th n m of th iph r 

w s sugg st y i on uv 1 (s mos 5.19). 
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t ut t • • 



2 



ut t • • 



t 

or h output it of this tr nsform tion w s ri th list of input its 
whos p rity om s th output it. n h row w s ri four output its 

whi h 1 t r nt r th s m - ox in th n xt roun . h its r list from 
to 1 7. 
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X 



th 



ox s * through • ( h on s p r t lin ) 
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t V t t u t u 

h r 1 V nt instru tions on th following pro ssors r 

ntium 0 0 0 rot t 

MM 0 0 0 only shifts 

Iph 0 0 0 0 0 only shifts 

wh r th op r tion on • n • is * A ( * ) th O op r tion is * V ( * ) 

n th O op r tion is * ( *) (or quiv 1 ntly (• •)). 

On MM rot t t k s four instru tions whil on n Iph it t k s thr . 

On ntium n MM it might n ss ry to opy som of th r gist rs for 
us s instru tions h v only two rgum nts; ut som instru tions n r f r 

ir tly to m mory. h Iph instru tions h v 3 rgum nts (sr 1 sr n 

stin tion) ut nnot r f r ir tly to m mory. 



6 t 

r w s ri som sign history, n our first sign th lin r tr nsform - 

tions w r just it p rmut tions whi h w r ppli s rot tions of th 3 - it 
wor s in th itsli impl m nt tion. n or r to nsur m xim 1 v 1 n h th 

i w s to hoos th s rot tions in w y th t nsur m xim 1 v 1 n h in 

th f w st num r of roun s. hus w hos thr rot tions t h roun w 

us (13 7) for th v n roun s n ( 5 13 ) for th o roun s. h 

r son for this w s th t ( ) rot ting 11 four wor s is of ours us 1 ss ( ) 
singl s t of rot tions i not sufH for full v 1 n h ( ) th s s ts of rot tions 

h V th prop rty th t no i r n of p irs in ith r of th m oin i s with 

i r n ith r in th s m s t or th oth r s t. 

ow vrw fltthtth vlnh ws still slow s h it t only 
on it in th n xt roun n thus on tiv - ox t only out of 
th 3 - ox s in th n xt roun . s r suit w h to us 6 roun s n th 

iph r w s only slightly f st r th n tripl - . o w mov to mor ompl x 

lin r tr nsform tion; this improv th vlnh n n lysis show th t w 
oul now r u th num r of roun s to 3 . li v th t th fin 1 r suit 

is f st r n y t mor s ur iph r. 

Iso onsi r improving th iph r y r pi ing th O op r tions 

y s mingly mor ompl x op r tions su h s itions. i not o this 

u to two m jor r sons (1) Our n lysis t k s v nt g of th in p n n 

tw n th its in th O op r tion s it Hows us to s ri th iph r 

in st n r w y n us th known kin s of s urity n lysis, his n lysis 

woul not hoi if th O op r tions w r r pi ; ( ) in som oth r iph rs 

th r pi m nt of O s y itions (or oth r op r tions) h s turn out to 

w k n th iph r r th r th n str ngth ning it. 
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t t 

n unoptimiz r f r n impl m nt tion is v il 1 from th uthors’ horn 
p g s. ot how V r th t th iph r m y still mo ifi in th futur s it 
progr ss s through th s 1 tion pro ss. 
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tn r t niqu to tt k tripl n ryption i t 

m t-in-t -mi 1 tt k w i r quir 2‘‘‘ n ryption t p . n t i 

p p r mor i nt tt k r pr nt . no our tt k r u 

t ov r 11 num r o t p to roug ly 2‘ ‘ ‘ . t r tt k optimiz t 
num r o n ryption t t o t o in r ing t num r o ot r 

op r tion . t i po i 1 to r k tripl oing 2‘ ‘ ingl n ryption 

n no mor t n 2‘‘‘ t r op r tion . 



h mo t 11-kno n ymm tri n ryption 1 orithm i th t n ryption 

t n r ( ). t fin lo k iph r ith 64- it lo k n 56- it k y . 

u to qu tion r i r r in th m 11 k y iz v r 1 v ri ti o multipl 
n ryption h v n on i r or th in lu in on 1 n tripl 



on 1 n ryption (top) n tripl n ryption ( ottom) 




n thi p p r on i r r itr ry in 1 n ryption nn tion E-Q, 1}^ — 
-0, 1}^ — -0, 1}^ ith A:- it k y n lo k iz o s it n in p rti ul r 

* prtotir r w onwilt utorw tt niv r ity o otting n. 

u y t tw y t 3 3 3 

o 
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point out th on qu n o our fin in or tripl . in multipl n ryp- 
tion i m inly o r 1 v n to tr n th n lo k iph r ith m 11 k y p 

on ntr t on fc — s. ith tofc-itkyLn M n ton ryption 

un tion E n E on 1 n ryption i fin yC E^{Ej^{P)). r C 

not th iph rt xt n P th pi int xt. imil rly tripl n ryption i fin 

y C EUE^{E^{P))). i nr 1 ri on 1 n tripl n ryption. 

L N thi fin th p i 1 o t o-k y tripl n ryption. n thi p p r 
on ntr t on th o n r 1 (thr -k y) tripl n ryption. 

on 1 i on 1 n ryption ith E E E. ripl i u u lly 

fin y E E^ E E D h t: E not th ( in 1 ) n ryption 

un tion n D \t ryption ount rp rt. 

n n r 1 um th un tion i?* n Z?® to h v lik t o 2^ 

r n om p rmut tion ith K 0, 1}^ ho n or in to th uni orm 

pro ility i tri ution. u lly nonr n om t ti ti 1 prop rti r on i - 
r to kn o lo k iph r.nthpil oth to im- 
port nt t ti ti 1 kn r kno n th ompl m nt tion prop rty hi h 

i xploit in tion 6 o thi p p r n m 11 num r o k k y . 

11 tt k on i r in thi pprrky- rhttk n xploit kno n 
(or ho n) p ir o pi int xt n iph rt xt. o m ur th ompl xity o n 

tt k on i r our v lu 

1. h num r o kno n pi int xt- iph rt xt p ir . 

2. h tor p r quir or th tt k. 

3. h num r o in 1 n ryption y E^j^{x) or x to mount th 

tt k. 

4. h ov r 11 num r o op r tion ( t p ”) to mount th tt k. 

h thir V lu m n om xpl n tion 1 rly iv n k y iti n pi in- 

t xt a; (or iph rt xt y) th tt k r n omput th orr pon in iph rt xt 

y E^j^{x) (or th orr pon in pi int xt). oo lo k iph r h v lik 

r n om p rmut tion h n iv n om tripl (pi int xt iph rt xt k y) on 
n t fin oth r tripl mor i ntly th n y n ryptin / ryptin in. 

tt kin multipl n ryption ithout r kin th un rlyin n ryption 

un tion n ri tt kin multipl n ryption in th pr n o 

n ryption/ ryption or 1 . i ur 2 vi u liz u h n or 1 . h un rlyin 

iph r i tr t Ik ox. imply rit in 1 n ryption” or in 

th n ryption/ ryption or 1 . Mu h ork h n on ith r p t to thi 
mo 1. 

hi vi 1 o motiv t to p ifi lly ount th in 1 n ryption in i- 
tion to ountin 11 t p . ot th t u h in 1 n ryption ount on t p 
ut in pr ti i n x ption lly ompl x t p y it 1 omp r to ommon 

op r tion lik omp ri on n t 1 look-up . 

On my 11 on ntr t on th num r o in 1 n ryption n i r - 
r th num r o t p n th mount op r quir . hi i n pprov 

m tho or tim tin th minimum tr n th o ompo iph r in or r 

to mon tr t th oun n o th ompo ition t hniqu . n thi ont xt 
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n n ryption/ ryption or 1 



V lu u 



yK 

I 



r ult r E]^{v) i d 
n r D]^{v) i d 



E^/D^ 



\ 

ir tion d 



n rypt 
rypt 



on n 1 t po i 1 kn o th un rlyin n ryption un tion . 

liz tion o th un rlyin n ryption un tion r i 1 to th tt k r 

y qu ryin n ryption/ ryption or 1 ut th tt k r h no kno 1 
out th or 1 int rn 1 . n th qu 1 r r to thi point o vi th 

1 k- ox-only” mo 1. 

h r t o thi p p r i or niz olio . tion 2 ri pr viou ly 

kno n tt k on ntr tin on th m t-in-th -mi 1 tt k. n tion 3 

intro u th notion o t- olli ion ” n u it or t hniqu to r u 
th num r o t p . n tion 4 n 5 on i r th t in 1 n ryption r 
mu h lo r th n h o th oth r t p n i n tt k optimiz to v 

in 1 n ryption ( ut not th tot 1 num r o t p ). n tion 6 xploit 
th ompl m nt tion prop rty o n tripl to urth r improv our 

tt k . in lly in tion 7 on ntr t on th on qu n o our fin in 

or th urity o tripl 



on 1 n ryption n rok n ith m t-in-th -mi 1 (M M) .hi tt k 
r quir -2fc/s— kno n pi int xt/ iph rt xt p ir on th v r out 2* unit 

o tor out 2* in 1 n ryption n out mu h t p . or pi int xt 

p n orr pon in iph rt xt c omput 11 v lu Ej^ (p) n tor 11 

p ir (Il,L) in t 1 in X y II- in th r r 2^ k y L thi r quir 2^ 
unit o tor 2^ t p n 2* in 1 n ryption . o 11 v lu Dj^{c) 

r omput . or th orr t k y p ir (L, M) th qu tion Im mu t hoi . 

hu th tt k r n to look up in th pr viou ly omput t 1 o p ir 






o-k y tripl n ryption n 



rok 



y ho n pi int xt tt 



out 2^ unit o V rythin 2^ pi int xt/ iph rt xt p ir 



2*^ unit o 



k u in 
tor 



in 1 n ryption 
h t kno n 



n 2'= t p 
y to tt k 



r 1 tripl n ryption i 1 o y M M 4 



tion 7.2.3 . L t pi int xt/ iph rt xt p ir (p, c) 



olio 



IV n. ro 
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1. omput 11 V lu Bn D^n{c) N 0,1}^ n tor th p ir (6jv,A^)in 

t 1 in X y 6jv- 

2. omput 11 V lu L,M 0,1}^ n look or 

(bL,M,N) in th pr viou ly omput t 1 o p ir (BnjN). 

3. t 11 k y tripl (L,M,N) ith bL,M b^ until only on u h tripl 
r m in . 

h fir t t r quir out 2^ t p n in 1 n ryption n mu h unit 
o tor . h on r quir out 2^tp n ini n ryption . h 

thir t i h p. ot th t n t 1 t I 3fc/s— p ir o pi int xt n 

iph rt xt or th tt k. n th o tripl n 1 — 3 -3 —56/64— 

u h p ir out 2 ® unit o tor out 2 in 1 n ryption n th 

m num r o t p (m inly t 1 look-up ). ( h x num r o t p 

n in 1 n ryption n or th M M tt k i 2 . hi i th num r 

u h n omp rin th M M tt k ith our pro ili ti tt k .) 

V n M M t hniqu or tt kin t o-k y tripl n ryption h v 

n tu i y V n Oor hot n i n r 6 . h m uthor 1 o propo 

V n M M t hniqu or tt kin ou 1 n ryption 7 . 

ly hnirn nr2 mon tr t ho to tt k thr -k y tripl 

u in r 1 t -k y t hniqu . L t pi int xt p n orr pon in iph r- 
t xt c kno n to th tt k r. um th tt k r to 1 to h n th 

fir t u k y rom L to L A { oth L n L A unkno n to th h r ut Z\ 

kno n) . th tt k r r iv th ryption o c un r th mo ifi k y th n 



h 


n fin th 


u k y L 


u in only 2^ 


t p ( 


n 


th 


m 


num 


r 0 


in 1 


n 


ryption ). 


h on 


n thir u k 


y M 


n 


N 


n 


oun 




in th 




0 ou 1 


n ryption. 




















th m 


pi int xt 


i n rypt 2 


tim 


u 


in 


tripl 




un 


r 2 


i 


r nt k y 


n tt k r 


nr ov r on 


0 th 


2 


k 


y u in 2 


t p 


( n 


th 


m num 


r 0 in 1 


n ryption ). 


hi r 


ult 


i 


u to 


ih m 


1 . 





i V ri nt o h r n ryptin n ryptin r quir to om- 



put on in 1 n ryption n t o O o s- it lo k . ili n n o y 
3 ri th urity o in th 1 k- ox-only mo 1 on ntr tin 

on fin in lo r oun or th num r o in 1 n ryption v ry 1 k ox 

tt k n 



n thi tion ri n op r tion optimiz ” tt k to v om t p 

o omput tion omp r to M M. 

on i r un tion / -0,1}* — -0,1}®. i p ir o 

input ith X / y n f{x) f{y)- h v lu v 0,1}^ i o i t ith 

t i th r xi t t S' ith S — t input n f{x) v or 11 

n omputing t ompl xity o t i t g t op r tion o omputing v lu 

6i,M Em{E'l{p)) looking up t p ir A'') in t 1 t op r tion 

to m int in t loop tog t r ount 
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X — S. umin th un tion / -0, 1}* — -0, 1}® to h v lik r n om 

un tion n th t 1 — w — 2* input r r n omly ho n th xp t num r 

o V In V 0, 1}® o i t ith t- olli ion i out w* — 2“® . iv n 

pi int xt/ iph rt xt p ir (pj,Cj) our tt k p n on fin in t- olli ion or 
th un tion fp. -0,1}'= — -0,1}® fp.{L) Ep^{pi). on i r 11 k y 

L 0, 1}'= h n th num r o input or th un tion fp. i w 2'=. 

rit K (a,i) or th to 11 k y hi h n rypt th pi int xt pi to th 

iph rt xt a u in E . imil rly rit K^(b,i) or 11 k y hi h rypt th 
iph rt xt Ci to b u in E^. . . 

K (a,i) L - -0, 1}'= a} n 

K^{b,t) N -Elib) a}. 

-K (a,i ) — t th V lu a i o i t ith t- olli ion. iv n p ir (pi,Ci) 
hoo t SA{i) 0, 1}® o V lu o i t ith t- olli ion 

S'^(z) a 0, 1}® — th r xi t t- olli ion K (a,i). }. 

Our tt k ork lik thi 

i 1; 

P t 

1 t (pi,Ci) — (-0, 1}®) kno n p ir o pi int xt n iph rt xt; 

initi liz th t K (-, 1 ) n S'yi(z) to mpty; 

. or L- -0,1}'= a Ep{pi); 

K (a,i) K (a,i) — L}; 

i -K (a,i ) — t th n S'^(z) S'^(z) -a}; 

(— o S'yi(f) i th t o 11 V lu a o i t ith t- olli ion. — ) 

orA^--0,l}'= b Dl{ci)-, 

K^{b,i) K3{b,i) 

. or a — S'a(z) 

or M- -0,1}'= b Ejyj{a); 

or — Ks{b, i) 

or L — K (a,z) tripletest(z, L, M, A^); 

z z 1; 

until tripletest pt . 

h pro ur tripletest” n r liz lik thi 

tripletest(z, L, M, A^) i 
Si -l,...,;}-^i}; 
d 3k — s S; 

r p t hoo j — Si t r n om; 

. iv t n mir 8 w o xploit t i or on o t ir mi rop ym nt m . o 
V ri y t i tim tion on n u w 11 known p i 1 t “ irt y p r ox 

u f u u c*2®/‘ 

c ( tu lly c tv/2 ~ 1.25 . 4 tion 2.1.5 ). 



u 
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Si Si - 
d d — s; 

until {d — 0) or {cj / c); 

i (cj c) th n pt (L,M,N) th orr t k y-tripl n top 

1 r j t {L, M, N) n ontinu . 

h n tripletest” i 11 th qu tion 

hoi . n th pro ur r lookin or j / i u h th t E%{Ej^{E^{pj))) / 

Cj. ilot n nou h i. . ^ tim pt th k y-tripl {L,M,N) 

orr t. h V lu i5 rv urity p r m t r th ri k to pt n 

in orr t k y-tripl i no mor th t 2“'^. 

On th V r ron k y-tripl r quir in i nifi ntly mor th n thr 

in 1 n ryption i. . on omput tion o c ... in or j 1,...,/} *} 

th qu tion Eff{Ej^{E^{pj))) cj hoi on out o 2® tim . h orr t tripl 
i 1 y pt t r ^ roun . ..to roun r u i nt or tripl 

(k 56 n s 64) i d 20. n th qu 1 um 5 to 1 r 

nou h” n i nor th ri k o ptin n in orr t k y-tripl . 

L t t ho n u h th t — 2“® — 2^. 

X (P2,Ci) 

2V(w* -2-® t) X 

V ry t- olli ion K {a, i) — SA{i) on i t o 1 1 t t k y n 

h n h 1 1 t t—2~^ h n to ont in th orr t fir t k y L. v ry in x 

i orr pon to p ir {pi,Ci) o pi int xt n iph rt xt. or v ry i xp t 

to fin out vrd — 2“® v lu a to o i t ith t- olli ion K (a,i). 

hu th xp t num r o (pi int xt iph rt xt)-p ir n to on i r in 
or r to fin th orr t fir t k y L i 2^ / {w* — 2“® t). 

t i y to V ri y th olio in (L, M, N) i th orr t k y tripl 
K (a,i) — SA{i) n L — K{a,i) th nth pro ur tripletest(z, L, M, A^) i 
X ut in t ith th in x i n th k y (L, M, N) p r m t r . — 

I (Pi,c*) 

w 

• 0(2'=) 

• 0(w*-2-®*- -2’^ -I w*-2~^*- -l-t-2 '=-®) 

y 

oth t r to X ut / tim . urin v ry it r tion o th 

p t” loop no r ult o pr viou it r tion r n . n th mount o 
tor or th tt k n tim t y th tor p urin on it r tion 
n th r quir num r o t p i I tim th v r num r o t p urin 
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on it r tion. lo tim t th tor p n th num r o t p or 

on u h it r tion. 

oth loop o t r it r t 2^ tim h n th num r o t p i 

out 2— 2*. h n th fir t loop i fini h th tor p or th t K (a,i) 

(i. . 2^ unit ) i no Ion r n n n r u ith th x ption o th 

t K (a, f) — or th on loop 2^ unit o tor p r n 

or th t in w* — 2* xp t th pro ility or 

SA{'i)—> 2* to n li i 1 n pproxim t th tor p or t 
y 2^ 

o on i r t . or v ry p ir (pi,Ci) xp t th xi t n o 

w* —2“'* t- olli ion ; thu th loop or a — i it r t w* —2“'* 

tim on th v r . h loop or M ...” i it r t 2* tim h n w* — 

2“® —2^ in 1 n ryption b Ej^{a) r on . o r n w* — 

2 -^t- -2^ t p . h xp t iz o tK 3 {b,i)i 2’^~^ - 1. K (a,i) i 

t- olli ion thu it ont in out t k y L n th pro ur tripletest i to 

11 w* -2~^ -2'= -2'=-® -t tim . 

urin h o th it r tion o t n n h n urin th ompl t 

1 orithm 0(2^) unit o tor p r n n th num r o t p i 

10(2’^ w* -2~^ *- -2^= w* -2"« *- -2'= -2'=-® -t) 0{w* -2~^ -2^= 

_2“« *- —2^ — 2^“® —t) imil rly to th num r o in 1 n ryption . — 

h on t nt hi n y th ymptoti r m 11. iv n I p ir o pi int xt 
n iph rt xt n out 2^ unit o tor p — i th or th 

M M tt k. h num ro tp i a b b- ^ 

2—l—2^i th num ro tp tp ort °g k. I —w* —2~‘‘ —2^ 

i th num r o t p or th out r loop o t (i. . th num r o tim 

th op r tion 6 S^(a) i x ut ) n ^ « 3 — / — 2“^ —2 

1 th num r o t p or 11 loop o t n or tripletest. 

or tripl (k 56 n s 64) xp t num rot- olli ion i out 

2 fct _ 2 _s t- -f- 2'=* -2"^ 2° 1 xp t on - olli ion th 

tt kr quir out 2 ® unit o tor p n or t 2^/(w* — 2“^* t) 

2 ^ n out /l«2 ® tp (m inly t 1 look-up n in 1 n- 

ryption ) or th tt k — in t o 2 imil r t p or M M. 

n improv thi y hoo in t 7 h xp t num r o 7- olli ion 

i 2** —2~^ 2 256. in th tt k r quir out 2 ® unit o tor 

p . ov I 2^/{w* -2~‘> *- t) 2 6/(256 - ) 2 t a « 2 o 

« 3 -2 6 n 

-2~‘^ *- 

(2V(w* -2”® * 

2 '=/7 2 /7 

«2 0 ■ , 

thu only n li htly mor thn 26 tp(n mu h in 1 n ryption ) . 

rom pr ti 1 point o vi th op r tion optimiz tt k i not v ry 

u ul or r kin tripl .ti trthnM M utr quir mu h mor 



_2k 

- t)) -w* -2-" -2^ 
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p ir o kno n pi int xt / iph rt xt ( . . out 2 i t 7 omp r to 3 or 
M M). ut rom th or ti 1 point o vi th tt k p r orm n 1 rly 
in i t tripl to k r th n i ly li v . 



h pr viou tion t hniqu to r u th num r o t p m to 

t n . o in th n xt t o tion on ntr t on r u in th 

num r o in 1 n ryption in t th num r o t p . hi tion 1 
ith n n ryption optimiz ” tt k. n t o I t p n in on pi 

hoo on fix t n no Ion r xploit th o ur n of- olli ion . 

L t th r ? pi int xt/ iph rt xt p ir (p , c ) ... {pi,ci) kno n to th 
tt k r. n th pr viou tion omput t S'a(*) — -0, 1}® or v ry 

in xi 1,...,?}, o int hoo on t Sa 5'a(1) ••• Sa{1)- 

h iz Sa—o S'/! i fix n Sa 2®. um th a — Sa to 

ho n r n omly. ( u th in p n n o th t Sa n 0, 1}® 

h r L not th orr t fir t k y.) Our tt k on i t o thr 

t 

1. ora — SA omput th t 

-S' (a) (z,L) --0,1}'" -£^L(Pi) « }• 

2. or 6 0,1}^ n * omput th t 

N-S,lY-E%{h) c, }. 

3. or M 0, 1}* n a — Sa 

b Ej^{a)] 
or (z, L) — S (a) 
or — K^{b, i) 

tripletest(z, L, M, N). 

h t i th h n to fin th orr t k y y u in th 1 orithm? 
Sa^ 2®// y y 

y 1/2 

h tt k u in fin in th orr tk y tripl (L,M,N) 

i or ny z l,...,^}th op r tion tripletest(z, L, M, TV)” i x ut i. . 

i p ir (z, a) xi t in — 1, . . . , Z} — Sa ith Ej^{pi) a. h xi t n o u h 

p ir n xp t i ? — Sa^^ 2® ( u to th irth y p r ox). — 

On o th r our r quir to mount th tt k i th num r I o kno n 

pi int xt/ iph rt xt p ir . h t out th oth r r our ? 

Sa~^ ‘2“ /I s — k 2 ^“® — ? — 2 ®“ * y 

w 

• X y I w X X 
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• 0{l-2^) 

• 0(2 '=) 

• 0(23'=-®) y 

L t th t S (•) n initi liz to mpty. h fir t t o 

t n r liz lik thi 

1. or i n a E^(p^)-, 

S (a) S (a) -(i,L)}. 

(—Or a — 5/1 th n S' (a) ... — ) 

2. OT i n TV --0,1}'= 6 D%{c^)] 

K^(b,i) K3(b,i) 0V|. 

h loop i it r t I —2'= tim h n th ov r 11 num r o 1 m nt in th 

t K^(-^-) r I —2'= th ov r 11 num r o 1 m nt in th t S (•) i th 

m ( ut only n th t S (a) or a — Sa) n th num r o t p n 

in 1 n ryption or th fir t t o t i 0(1 —2'=). 

t 3 r quir mu h 1 tor th n th fir t t o t . t out r loop 
or M - -0, 1}'= n a - S^” i it r t 2^ Sa-~ 2^ V? tim . On th 

V r th mi 1 loop or (i,L) — S (ay' i it r t I — 2'=/2® tim n 

th inn r loop or N — K^(b,iY’ i it r t 2'=“® tim . in 2'=“® < 1 th 

out r n th mi 1 loop t rmin th num r (2^ — Sa^{I' — 2'=/2®) k. 2 ^ 

o t p or t 3. ut or th in 1 n ryption ount ho o t n th 

op r tion b Ejyj(a)” i x ut in th out r loop (i. . 2 '=— Sa^ 2^= ®//) n 

thr tim th num r th op r tion c Epf(Ejyj(Ej^(pj)))” i x ut 

ithinth pro ur tripletest (i. . 3(2^= -2'=/2®)(2'="®) « 3 -23'="®). 
Z — 2 ®“ r quir th tripletest p rt omin t th um i. . th 

num ro in 1 n ryption in t 3i out 3 —23'=“® 0(23'=“®). 

hu th tor r quir m nt or th tt k i omin t y t 2 th 

num r o t p n th num r o in 1 n ryption r omin t y t 

3. n n 0(1 —2'=) unit o tor p 0(2 '=) t p n p i lly 
0(23'=“®) in 1 n ryption . — 

on n ily u rom th proo th on t nt hi n y th ymp- 

toti r m 11. n out Z— 2'= unit o tor out 2 '= t p n out 

3-23'=“® 2'= ®/Z in 1 n ryption . or tripl m y hoo Z ithin th 

rn 2® — Z — 2. ivn yZ 2® kno n p ir o pi int xt n iph rt xt 

n rou hly 2 unit o tor (m inly or th 1 m nt o th t K^(-,-)) 

y 1 throu h loop or out 2 tim n h v to n rypt/ rypt out 

3_23fc“® 2'= ®/Z Z-2'= 

« 3 -2 ® 2 ® 2 3 

« 2 0® 

tim . 

nlik th op r tion optimiz tt k in hi h r th num r o 

t p thi tion n ryption optimiz tt k r u th num r o in 1 
n ryption ut not th num r o t p . hi optimiz tion r u th tim o 

th tt k in 1 n ryption r on i r ly lo r th n oth r op r tion . 
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h n ryption optimiz tt k i n y i limit in tripletest i x- 

ut 23'=-^ tim hi h in u 3 _2^k-s 

in 1 n ryption . r u 

in th k t h o proo o th or m 3 th orr t k y tripl (L, M, N) i oun 
i p ir (i,a) xi t in — 1,...,^} — Sa ith Ej^{pi) a.” n thi tion 
mo i y th tt k; only x ut tripletest i th r xi t w p ir 

(i,a),{j,a') - Sa ith Ej^{pi) a n Ej^{pj) a~. hi i 

1 to th V n tt k”. (Mor n r lly x ut tripletest i r 
p ir (i , a , (ir, Ur) ith Ej^(pj) aj xi t in —1, — Sa- n thi p - 

p r on ntr t on r 1)2}.) On on h n thi or u to in r th 

num r o kno n pi int xt/ iph rt xt p ir (p^c^ in or r to u . On th 

oth r h n n to x ut th tripletest mu hi r qu ntly. 

h fir t t o t r th m or or t 3 o th olio in 

3. or M- -0,1}'' 

or a — S'a 
b E^ia)-, 
or (i, L) — S (a) 
or iV — K^(b, i) 

i (L, N) — 5 th n tripletest(f, L, M, N) 

1 5 S ~(L,N)}. 

2 -2^1 y 

y 1/2 

Lt (L, M* , N) not th orr t k y tripl . on i r 

th it r tion o th loop or M 0,1}* ” ith M M* 11 oth r it r - 

tion nnot u ny y. -Sa—^ 2 —2®// th xp t num r r o p ir 

(i ,a ), . . . ,(ir,ar) 1, ...,?} — S/i ith Ej^(pj) aj i r 2. th r tu lly 

xi t t o u h p ir (i ,a ) n (i , a ) in — 1, . . . , /} — th n th olio in 
in In ion hoi 

(i,L)-S(a), N - K^(Ej^(a ),i ), 

(i,L)-S{a), n N - KsiEj^^ia ),i ). 

n thi th k y p ir (L, N) i oun t i ithin th x ution o th 

1 orithm. t fir t (L, N) — S'” i ron n (L, N) i in rt into th t 

S. h on tim (L,N) — S” i tru tripletest(z, L, M, A^) i x ut 

( ith t j ,z }) n pt u (L,M,N) (L,M*,N) i th orr t 

k y tripl . — 



^A~- 2 ® /I 



w 



• X y I w X X 
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• 0{l-2^) 

• 0(2 '=) 

* 0(1-2^ 2^= VO y 

h r our r quir m nt or th fir t t o t o th v n tt k 
r th m or th n ryption optimiz tt k. 

n th thir t n or fix M n a th loop or (i, L) — S (a)” i 

it r t out I —2^~“ tim th inn r loop or (L, N) — S'” i it r t out 
tim . n th iz o th t S i rou hly S—Ki I —2 — 1. h 

t K 2 ,(-,‘) r quir I — 2^ 0(1 —2^) unit o tor n thu omin t th 

V n tt k tor r quir m nt . 

imil rly to th proo o th or m 4 th num r o t p i (2^ — Sa^(1 — 

2'=/2«)«2''' 0(2’^). 

h fir 1 1 o t to th r r quir 1—2^ in 1 n ryption . h op r tion 
c E%(...) in th pro ur tripletest i to x ut out 2^^ 
tim in u in 3 —2^^~ ® in 1 n ryption . h op r tion b Ej^(a) i 
to X ut 2'= Sa-- 2^ H tim .in 1-2^ - 3 -2^^~ ^ th 

num r o in 1 n ryption i out 

I -2^ 3 -2^^- ® 2^= ® // « ; -2^= 2'= ^ /I, 

i. . 0(1-2’^ 2^ VO- 

n pr ti n out I —2^ unit o tor out 2 * t p n 

out 2^ ^ /I I —2^ n ryption / ryption . fix I 2^^ n 

out 2^ in 1 n ryption . (1) 

or tt kin tripl iv n / 2^ kno n p ir o pi int xt n iph rt xt 

n 2 unit o tor p n 2 ^ t p ut only 2 ° in 1 n ryption . 

n omp ri on to th op r tion optimiz tt k th v n tt k llo u 

to r ti lly r u th mount o in 1 n ryption t th o t o ou lin th 

num r o t p . o h t i our in? m ntion in th intro u tion 

in 1 n ryption i v ry ompl x op r tion omp r to y t 1 look-up . 

um on impl m nt tion o to r quir t 1 look-up p r roun 

i. . —16 2 t 1 look-up p r n ryption our p -up n tim t 

lik thi 

* h xp t num r o 2 t p n mu h in 1 n ryption o th 

M M tt k tu lly orr pon to out 1.3—2 ° tripl n ryption . 

* h op r tion optimiz tt k o tion 3n 2° tp n ini 

n ryption . h orr pon to out 1.3 —2 tripl n ryption . 

* h n ryption optimiz tt k 2 t p (mo tly t 1 look-up ) n 
2 in 1 n ryption . hi i quiv 1 nt to out 2 ^ tripl n ryption . 

* hi tion tt k r quir 2 ^ t p (mo tly t 1 look-up ) n 2 ° 

in 1 n ryption . hi orr pon to out 1.3 —2 ° tripl n ryption . 

Our r ult 1 or tripl n ryption (i. . 2 in 1 n ryption to r k tripl 

) i V ry lo to ili n n o y w 3 or th num r o 

in 1 n ryption r quir to r k . or t il pp n ix . 
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or pr t n th un rlyin in 1 lo k iph r to i 1 i. . to h v 

lik r n om p rmut tion. ut i not ni 1 lo k iph r. Mo t import nt 

in thi ont xt i th ompl m nt tion prop rty x not th ompl m nt o 
th it- trin a; th n or v ry pi int xt p 0, 1}'* n v ry k y X 0, 1}^ 

k{p) k{p)- 

o o th ompl m nt tion prop rty t th i n y o our tt k ? 
ir t not th r i not mu h h rm or th tt k r. h n ryption opti- 
miz tt k u i th t -p , . . . ,p/} n S'a r ho n u h th t th r 

xi t (i,a) Ij • ■ • j ~ Sa ith E^{pi) a L th orr t fir t u k y 

proo o th or m 3. hi pro ility i not t 11 t y th ompl m n- 

t tion prop rty E—{pi) a. m y r u imil rly or th v n tt k. 

h u r t o th op r tion optimiz tt k p n on th pro ility 

th t or pi int xt pi th orr t fir t u k y L p rti ip t in t- olli ion 

K{a,i) -E,L i. . E^{pi) E^\pi) ... E^_{p,) a. in 

thi pro ility i not t y th ompl m nt tion prop rty E—{pt) a. 

on th r r m ny y or th tt k r to xploit th ompl m nt tion 

prop rty or m 11 improv m nt o n tt k. or th k o hortn 
on ntr t on on x mpl . 11 th tt k in tion 3. L t Sa ho n 

u h th t or 11 a 0, 1}® th quiv In a — Sa a, — Sa hoi . h 

tt k i un h n x pt or t 

. or a — 

or M --0} - -0,1}'=- 
b Ej^{a)] 
or TV — K^{b, i) 

or L — K (a,i) trlpletestii, L, M, N); 

(— xt xploit b E—(a). — ) 
or N — K^(b, i) 

or L — K (a,i) trlpletestii, L, M , N); 

h n ly i in tion 3 i not mu h t . ith r th xp t num r o 

p ir o pi int xt n iph rt xt h n nor th ompl xity a o t 

nor th tt k tor r quir m nt . 

ith r p t to t th loop or a — S'yi(f)” i it r t w* — 2“® 

tim on th v r . h loop or M ...” i only it r t 2'=“ tim h n 

_ 2 “S t- —2'=- in 1 n ryption b Ej^{a) r on . o r n 

% w* — 2“® 2'=- t p or t . o th r th t o loop or 

— . . .” n mu h tim or g w* — 2“® —2'= —2'=“® —t. 

hoo thprmtr r t 7 u ~ 2.2 n / 2 th op r - 

tion optimiz tt k ompl xity i th um o thr num r a ^ ^ 

« 3-2 0 n ^ « 2 0 ■ . 
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hi tion V ri nt o not t a n s hn 



o ^ 9 0 . 



pproxim t th ov r 11 num rotp n ini n ryption . 



on to y t hnolo y n ith r M M nor ny o our tt k on titut 
pr ti 1 y to r k tripl . in th utur n tt k lik M M ill 

on i r pr ti 1 or oin thi rt inly om o th r quir r our 
ill mor V In 1 th n oth r . hi p p r provi v ri ty o option ho 
to po i ly V u h ottl n k r our . omp ri on i iv n in t 1 1. 



tt k 


t. 


1 


m mory 


t p 


ingl n ryption 
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2" 


2"‘ 


2"‘ 


op. optim. 
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(v ri nt) 
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n r. optim. 
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1*2'= 


2‘k 


3 * 2' '=-" + 2'=’ 71 
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1 * 2'=- • + 2'=' "• • /I 






2" 


2" 


2"‘ 


2"‘ 






2" 


2" 


2‘" 


2" 






2" 


2" 


2"‘ 


2" 



tt kin tripl ith I kno n ( ho n) p ir o pi int xt n 

iph rt xt n th xp t num r o r our r quir 



n Oor hot n inr67 onir ttk ith r m mory 
r quir m nt t th o t o in r runnin tim . u lly r u in tor 

r quir m nt i n th m in o 1 o improvin n tt k lik M M. h p- 
pro h in tion 4 n 5 i to r th runnin tim t th o t o tor 

n nonymou r r riti iz thi m to m k our tt k 1 r li ti . 

h urr nt uthor r ply i th t th i M M tt k on ou 1 n ryption 
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n t 0 -k y tripl n ryption oth h v In tim -m mory hr t ri ti 

i. . r quir rou hly on t p o omput tion p r unit o m mory. n thi 
tr in y tor p t th o t o ition 1 omput tion 1 t p 
V n Oor hot n i n r i rt inly m k u h tt k mor r li ti . On 

th oth rhn thMMttkon nrl (thr -k y) tripl n ryption h 
hi hly un In tim -m mory hr t ri ti 2^ unit o m mory n 2 ^ 

tp rn i. .2^tppr unit o m mory. fc i r on ly 1 r 

A: 56 r in th runnin tim t th o t o ition 1 m mory r quir - 

m nt tu lly pp r to m k u h tt k r li ti . ( o y thou h our 

tt k r r rom in pr ti 1 i th M M tt k. t i quit i ult 

to r on ly tim t th onomi lly t tim -m mory hr t ri ti o 

utur t hnolo y or hi h u h tt k r pr ti 1.) 

V n thou h our tt k r r rom in pr ti 1 to y thi p p r mon- 

tr t th t y X y 

w X y 1 o thi 

p p r llu th t th ility to qui kly p r orm m ny in 1 op r tion 

i not ru i 1 or r kin tripl (thou h v n th r quir num r o in- 

1 op r tion i too 1 r to on i r i 1 to y). h num r 

o m mory i. . t 1 look-up pp r to omin tin — ith r t 

on qu n on th i ulty o m iv ly p r 11 1 tripl r kin . 



h uthor i th nk ul to ii i r i or i u in n v ry mu h 

ppr i t r r i in improvin th pr nt tion o thi m t ri 1. 



1. . i m 2" ni 1 r port 

0884 omput r i n p rtm nt nion 199 oun in t www' . 

2. . 1 y . n i r . gn r “ y- ul rypt n ly i o 3- 

4 n ripl - pring r N 1109 23 
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m ntion in th intro u tion th 1 k- ox-only mo 1 provi prov n 
nvironm nt to mon tr t th oun n o ompo iph r. ili n n 

0 y 3 n lyz th lo k iph r n it urity in thi mo 1. ot 

th t in th 1 k- ox-only mo 1 on on ntr t on th num r o n ryption 

n i r r 11 oth r op r tion . 

n r liz V ri nt o i EX on th n ryption un tion E 

-0,1}'= — 0,1}^ 0, 1}«. n£;Xkyi tripl (L, M, IV) - -0, 1}'= — 0,1}®- 

-0,1}®. h n ryption un tion i EX l,m,n (p) N — El{M — p) h r — ” 
not th it- i O . omp r to tripl i m zin ly 1 nt 

n i nt. 

L t I not th num r o kno n (or ho n) p ir o pi int xt n i- 
ph rt xt. ili n n o y prov or EX th t th tt k r v nt in 

1 tin ui hin t n r n om non n unr It to £1 n EX n ryption 
u in k y-tripl (L, M, N) unkno n to th tt k r i e — I —x —2“'=“® 



r X not th num r o in 1 n ryption . e 1/2 n I s/2 thi 
r quir 







out 


x-2'= ®/ - 


in 1 n ryption 


(2) 


. . out 


X — 2 


or 


. ( ot th t 


ili n n o y on i 


I k 55 


n i nor 


th 


ition 


1 k y it 0 


hi i n ry or lo 


r oun 



in th 1 k- ox-only mo 1 u to th ompl m nt tion prop rty.) y 

pr ntin ho n pi int xt tt k ili n n o y 1 o mon tr t th t 
th ov oun i ti ht x pt or m 11 tor. 

Our r ult (1) in tion 5 or r kin tripl n ryption i urpri in ly lo 

to ili n n o y lo r oun (2) or EX. on lu in or r to 

fin om in iph v y th n EX (or ) on h 

to t in rom tripl n ryption (tripl ) or to or o th 1 k- ox-only 

mo 1. n oth r or thi p p r iv vi n th t it ill i ult to prov 
tripl to mu h tron r th n th mor i nt on tru tion. 
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is th most tho ou hly- n lyz iph in th op n lit tu ut t 
mo th n two s it is hin th n o its us ul li tim th 56- 

it k y-1 n th is simply too sho t to s u inst s ions k ys ho ts. 
h o th is t int st in th s ho multipl mo o op tion 

0 whi h p ovi s in s st n th inst xh ustiv k ys h whil 

t inin th hi h 1 v 1 o n lysis n onfi n th t sin 1 - u ntly 

o s. 

ih m ih96 n lyz t m ny t ipl mo s o op tion n ok 

V y mo onsi x pt th ommonly-us t ipl - - mo (wh n 

us with som out h inin t hniqu ) . no tun t ly u to its sho t 6 - 

it lo k 1 n th t ipl - - h s som sho t omin s it is sus pti 1 to 

1 tion y tt ks (wh n 2® known t xts v il 1 ) n m t hin - iph t xt 

tt ks (wh p ti 1 in o m tion out th pi int xt is ov y usin th 

i th y p ox wh n 2 ^ known t xts v il 1 ). 

o imp ov this st t o is ih m p opos 9 n w lo k mo s n 2 
n w st m mo s o op tion o . h ompl xity o tt kin th s n w 
mo s is onj tu to 1 1 st 2 h qu upl mo s w onj tu 

u s w 72 2 26 

o 




r t n sis o o nt Pro os u ti o s o O r tion 

to mo s u th n ny t ipl mo ; u th mo th ompl xity o tt kin 

two o th qu upl mo s w s onj tu to t 1 st 2 ^ . 

his p p shows th t wh n w How hos n- hos n-t xt tt ks most 

o th p opos mo s not si nifi ntly mo s u th n sin 1 - 

p ovi n w tt ks inst 11 ut on o th mo s. 

Not th t ih m’s stu i s w p mis on mo st i tiv th t mo 1 

th t i not mit hos n- tt ks so ou suits o not isp ov ih m’s 

onj tu s; ut ou position is th t th s n w suits is qu stions out th 

s u ity o ih m’s p opos mo s n illust t th ppli tion o n 1 

t hniqu s o ypt n lysis o multipl mo s o op tion. tion 3 o 

mo is ussion on this point. 

h p p is o niz s ollows. tion 2 st lish s som not tion n 

oth k oun n tion 3 is uss s ou th t mo 1. tion shows how 
to tt k two impo t nt 1 ss s o mo s usin ivi - n - onqu st t y 

n ppli s this suit to tt k six o ih m’s p opos mo s. tion 5 shows 
how to tt k ou mo o ih m’s mo s usin n ow-pip tt ks. in lly 

tion 6 is uss s som impli tions o ou suits n tion 7 w ps up th 
p p with som on lu in m ks. 



ih m V lop on is not tion o multipl mo s whi h is wo th summ - 
izin h . 11 o his n w mo s iv om th st n mo s 

o op tion n O s w 11 s th i o spon in 

yption mo s “ t . h not tion s to th mo wh 

th output o - n yption is to th input o - n yption; 

th op to n xt n to t ipl n hi h -o mo s. h not tion 

O s to mo whi h ppli s O to its input th n n ypts with 

mo n fin lly ppli s th s m O k yst m to th t suit. (Not 

th st ms xo into th input n th output o n t om 

sin 1 k y n th o .) his n n liz to mo s 

su h s O wh w pply O th n th n O in 

th n n th n O on mo . ( in 11 th O output st ms 

th s m !) h not tion O — s to st m mo whi h ppli s 

n yption to th k yst m n t y O mo n xo s th suit to th 

pi int xt. no ou s us th ^ op to to fin t ipl n hi h -o 

mo s too. 

o 1 ity w will tt mpt to us th s m not tion o pi int xt iph t xt 

t . th ou hout this not . w it * o ( sp tiv ly * o ) o th 

lo ks o th pi int xt ( sp. iph t xt). It* 0** 1***« not th 56- it 
k ys n w it •• 0*** 1**** o th o spon in s. num th 

k ys * 0** 1**** o in to th o th t th sin 1 -mo pp s in this 

not tion o inst n in O ” th O -mo is k y with * 0 

th with* 1 n th “ with* 2. h n multipl pi int xt/ iph t xt 

pis o t in in n tt k un w w it * * o th ull pi int xt o th 




6 



1 



n r 



*-th m ss w it • . • o th *-th lo k o * * n so on. 1 t * . (* ) st n 
o th sin 1 - n yption o th input lo k * un th k y * . 




h mo 



s n X mpl o this not tion w pi t th th “ ~ 

mo in i u 1. 

11 o ou tt ks ov th s t k ys. h si i s hin th 
tt ks not nti ly nov 1; m ny o th m ppli tions o th n 1 
tools wo k out y opp smith ohnson n ty s 97 n ih m 

ih9 ih9 ih96 . 

h nin n w lo k mo s whi h ih m p opos 



1. O 

2. O 

3. O 




r t n sis o o nt Pro os u ti o s o O r tion 7 

. o 

5. - - 

6 . - - 

7. O 

. O n 

9. O 

h p opos st m mo s 

1. O — >■ — >■ n 

2. O 

n th ollowin s tions w fin n w tt ks on 11 o th s x pt O 



n this s tion w x min th tt k mo 1. h oppon nt is ssum to h v 
th n ss y omput tion 1 pow to p o m 2 ® o -lin t i 1 n yptions. 

ssum (sisstn )thtth vsy np om known-pl int xt hos n- 
pl int xt n hos n- iph t xt tt ks. 

o w h V not vi t om ih m’s mo 1. list low th impo - 

t nt i ns. 



• •• • ••••• •••• • •• • 

h most impo t nt i n tw n th two mo Is om s wh n w x min 

th t tm nt o s. 

n on mo 1 mo is ss nti lly mini-p oto ol sp i yin how to p - 

o m s u m ss t nspo t. o s n th s t m ss • on n iph s * 

un th pp op i t multipl mo with k y * n with n omly hos n 

s**0 t nsmittin th un 1 • • 0 ov th ins u 

m ium; th iv ypts * with th sp ifi s un th sh k y 

* n ov s th ypt m ss * . h su tl ty om s wh n w int o- 

u tiv tt k s with th ility to p o m hos n- iph t xt tt ks su h 

V s i s to sp i y ny iph t xt * Ion with ny s t o s th y 

wish n th y will iv th yption * o th t iph t xt. 

Ou tt k mo 1 ptu s this notion. us w How hos n- iph t xt 

tt ks w Iso How ( s n tu 1 ons qu n ) hos n- hos n- iph t xt 

tt ks. t is wo th notin th t this hoi in u s sli ht ssym t y tw n 

hos n-pl int xt n hos n- iph t xt tt ks v s i s m y ont ol th 
in hos n- iph t xt tt ks ut not in hos n-pl int xt tt ks. 

n ont st ih m i not onsi hos n- tt ks; v n known- t- 
t ks w m ntion only in w sp i 1 s s. is mo 1 is mo 1 nt 
n 1 n on lysis; o inst n th symm t y nsu s th t th s u ity 
to o mo is th s m so its inv s . Iso tt ks 11 th mo 




1 



n r 



omp llin wh n th y p o m in ih m’s mo st i tiv mo 1. in lly 

ih m’s tt ks m in ppli 1 v n wh n sp i 1 m su s to p ot t th 

t k n wh s on tt ks m y stopp y su h m su s. 
t k th ons V tiv philosophy th t ou mo 1 shoul How v s i s 
onsi 11 w y; i th yptosyst m n st n up to tt k in su h mo 1 
ou ssu n o s u ity will 11 th t . t o ou justifi tion o 
this pp o h is th t t ipl with out h inin 1 y o s p tty oo 

s u ity with only w sho t omin s i w w nt to o tt ou th shol 
shoul quit hi h. 

Ou tt ks will t k V nt o this ility to ont ol th so th y 
not i tly omp 1 to ih m’s suits, ow v num o th hos n- 

tt ks n onv t to known- tt ks with only mino in s in th 

ompl xity o ypt n lysis so som omp isons m y possi 1 . tion 6. 

V n wh w not w o known- tt ks w vi w ou hos n- tt ks 
s tifi tion 1 w kn ss s th t shoul t th v y 1 st is w nin fl s 

out th s u ity o th mo s in qu stion. 

his su j t is not y t xh ust . tion 6 o som simpl ount - 

m su s to sist hos n- tt ks som ount - ount m su s n th i 

impli tions o th int p t tion o ou suits. 

• •• • ••••••• ••••••• 

ih m’s mo 1 Iso i s om ou s in noth sp t w How ptiv 
hos n-t xt tt ks wh s ih m i not onsi ptiv tt ks. o ov 

ih m n lly qui only on n ypt st mo his n lys s. n ont st 

11 o ou tt ks st in th 1 n u o ptiv tt ks. 

vi w this istin tion s 1 tiv ly mino . 11 o ou ptiv tt ks n 

sily onv t to non- ptiv tt ks with n li i 1 in s in ompl xity 
( n o sion lly su st nti 1 in s in th num o m ssy t ils); in 

sho t th ptivity is m ly onv ni nt not un m nt 1. 



On philosophi 1 point is th t w t y to xpli it out th sou qui- 
m nts o ou tt ks listin s p t ly th num o hos n t xts o in 

yptions n m mo y wo s n . h is th n to ssi n pp o- 

p i t osts to h sou o in to his oh s u ity nvi onm nt. 

t woul simpl to 1 1 h tt k with simpl ompl xity m su 

th t qu t s th ost o on hos n t xt with th ost o on til yption. 
n suhmsuhs tn fits o simpli yin n lysis summ izin 

suits n omp in mo s; n it is v y us ul fi st pp oxim tion. h 

w k is th t hi hly th o ti 1 tt ks n in 2 ® hos n t xts m y 

qu t with mo s ious tt ks n in only 2 ® t i 1 yptions. n p ti 

th t istin tion n iti 1. h o wh possi 1 w im to imp ov th 

qu lity o th pp oxim tion y usin mo xpli it ompl xity m su s. 
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1 st w list som i ly 1 m nt y tt ks on s v 1 mo s. h s 11 h v 

th fl VO o “ ivi - n - onqu 1 o ithms n m ly w isol t th to 

h su k y with hos n- iph t xt p o n th n ov h su k y with 

2 ® xh ustiv k ys h. 

y th no this s tion w will s how to tt k th lo k mo s 

0 1 2*** • n 0 1 2*** • o ny'inthspil s wh 

h mo * is ith o “ . h intuition is th t in su h mo s 

w h V th 1 tion 

* 0 = * 0 * • o(** 0) *** *••(***) (1) 

on th fi st lo k; this is hi hly lin n th o hi hly suspi ious. 

will Iso s how to tt k st m mo s o th o m O — > 1— >■ 

•••—!■ • i h mo * is on o O ~ . h 

1 is th t w n pply ivi - n - onqu tt k th t isol t s th to 

th 1 st k y • • (with sin 1 hos n- iph txtqu ythtpo s***);w 

th n st ip o th 1 st mo n ontinu it tiv ly. 



Ou tt k on th O mo is ompos o th ph s s; h 

ph s isol t s th t o on k y • • . i st w ov th k y • 1 us 

in th fi st mo y usin on hos n- hos n- iph t xt qu y n m ly 

w isol t th t o * 1 y p o in • • 1. n th s on ph s w ov th 
ky*2 ypoin **2 with simil hos n- iph t xt qu y. in lly * 0 is 
ov y xh ustiv k ys h. 

n th fi st ph s w p o * * 1 to isol tth to*ln ov*l 
with 2 ® xh ustiv kys h. Lt* 0** 0 known pi int xt/ iph t xt 
p i with known s. onst u t hos n iph t xt qu y * 1 s ollows. 

ik**ll = **10 st**01 = **00***21 = **20 tk • 1 = • 0 
n o t in th yption * 1 o th n w iph t xt. Not th t y qu tion 1 

*o0 *ol=*- (**10) *. (**11)* 

h o wmyfin*ly 2®xh ustiv k ys h o nizin th i ht 
k y V lu wh n th ov qu tion hoi s; with hi h p o ility w xp t no 
w on k y V lu to su viv th h k. 

h s on ph s ov s * 2 in n nti ly n lo ous shion this tim 
p o in ** 2 inst o ** 1. 

in lly in th thi phswp om 2®xh ustiv s h ov * 0 (th 
only m inin unknown k yv lu ). h o th tot 1 ompl xity o th tt k 
is two hos n- iph t xts n 5 2 ® o -lin t i 1 n yptions. 
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1 



n r 



h O “ mo n ok n in w y nti ly n lo ous to th 

ypt n lysis oO po**linon hos n- iph t xt qu y to 

ov *lthnpo **2tol n*2 n xh ustiv ly s h ov * 0. o 

th O “ mo too n ok n with two hos n- iph t xts 

n 5 2 ® o -lin t i 1 n yptions. 



h O mo n Iso ok n with th s m t hniqu . o 

this mo w n th hos n- iph t xts n 7 2 ® o -lin t i 1 n yptions. 

• •• ••••••••••• * •• • • * 

his mo is Iso sy to k usin th s m t hniqu s. (Not th t th 
“ “ mo is illust t in i u 1.) s o in th fi st 

phsw npo **0to isol tth to*0n ov*0yxh ustiv 
s h; ontinu to ov th st o th k ys. n this w y w n k th 
~ “ mo with tot 1 o th hos n- iph t xts n 

7 2 ® o -lin t i 1 n yptions. 



O — i- -> mo is h t iz y th 1 tion 

*o = *o * . 2(** 2 *. (•• 1 *.o(**0)))* 

n th fi st ph s o ou tt k w p o ** 2 to isol t th t o * 2. 

o p islylt*0**0 known pi int xt/ iph t xt p i with s 

•• 00*** 10*** 20 n oust u t hos n- iph t xt qu y s ollows. t 

* 1 = * 0 pik**21 = **20 n st**01 = **00 ***11 = **10* 
N xt issu hos n- iph t xt qu y o th • 1 • * • * 1 to t * 1 . in lly 
not th t 

**2 0 **2 1 =*. 2 (* o 0 * o 0 ) *. 2 (* o 1 * 0 1 ); 

this 1 tion 1 ts us ov * 2 with 2 ® xh ustiv s h. 

h s on ph s o th tt k p o s * * 1 in simil w y to ov 

* 1. in lly * 0 n o t in in thi ph s y ut o . n sum this 

ypt n lysis qui s 5 2 ® o -lin t i 1 n yptions n two hos n- iph t xts. 
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Ou tt k on O — > — > mo p o s in v y simil w y to th t 

si in th p vious p ph. p o * * 2 in hos n- iph t xt t- 

t k whi h Hows us to isol t th t o * 2 y th ollowin 1 tion 

• 0 0 • 0 1 * 0 0 • 1 = • . 2 (** 2 0 ) *. 2(**2 1 )* 

h n • 1 is ov n lo ously n • 0 y xh ustiv k ys h. h tot 1 

ompl xity o this tt k is two hos n- iph txtqu is n 52®o -lin t i 1 

n yptions. 



n this s tion w s i num o n ow-pip tt ks. ( y “n ow 

pip w m n t h nn 1 th t is 1 tiv ly n ow only 6 its wi o 
inst n .) h si t hniqu is to i nti y som n ow pip th ou h whi h 
11 i usion is h nn 1 ; th n you n t un h o t xts n look o 

ollision in th t n ow pip . h i th y p ox ssu s us th t w will fin 

ollision in th n ow pip 1 tiv ly qui kly (within 2" ‘ ^ t xts o * - it 

pip ). h n w hop (l)thtw n o niz th ollision y lookin only t 

th pi int xt n iph t xt n (2) th t w n us th t knowl to u 
som 1 tion whi h isol t s th to just on k y. h n th tt k is 

si n o tly w will 1 to fin o niz 1 ollisions in th n ow 
pip th t 1 t us u impo t nt in o m tion out som k y * * st n in 
Ion . t ov in * * with 2 ® xh ustiv k ys h w mov th t 
o th t k y n tt mpt to solv th u mo y it tin th tt k. 

n this s tion w show how to k th “ “ lo k 

mo swllsthO O nO 

“ mo s. 



o k “ “(siu2)wfistov*0y 

poin **l.Lt* 0** 0 known pi int xt / iph t xt p i with known 

s n uil hos n iph t xt qu y s ollows. ik**ll=**10 st 
•**1=***0 o *=ltk • 1=* 0 n otinth yption • 1 o 

th n w iph t xt. Not th t 

••10 •• ll =^. o (**00 • oO ) •. o (**01 • qI )* 

h o wmyfin^Oy 2®xh ustiv k ys h o nizin th i ht 

k y V lu wh n th ov qu tion hoi s; with hi h p o ility th h k will 

limin t 11 in o t u ss s t th k y. 

On w ’v 1 n • 0 with 2 ® wo k n on hos n- iph t xt qu y w 

nploth to^On u thpolmtothto kin th 
“ “ mo 
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1 



n r 




h mo 



ih m onj tu th t th qu mo “ “is mo 

s u th n ny t ipl mo . Not th t ou p s nt tt k os not imm i t ly 
isp ov ih m’s onj tu sin ou u tion li s on mountin hos n- 

hos n- iph t xt qu y whi h is not Ilow in ih m’s s u ity mo 1. n 
tion 6.2 w xt n it to wo k with only known- qu i s whi h in s us 

st p los to ih m’s mo 1. 

now s i how to finish th tt k on 

“ “ . 11 th t m ins is to n lyz th t ipl mo 

“ “ . ih m h s show how to k this t ipl mo with 2® 

hos n pi int xts n 2®® wo k ih96 . Non th 1 ss in ou s u ity mo 1 2® 
t xts quit hi h i n on mi ht won wh th th mo 

i nt tt ks. 

h nsw is y s. p s nt n xt n w tt k on “ “ 

whi h qui s only 2 ^ hos n- iph t xt hos n- quis n 6 2®til 
n yptions. his n us s su outin to v lop ull tt k on th 
“ ~ qu mo with ou hly quiv 1 nt ompl xity. 

“ •••-• ov *2 ypoin **1. ix 

it y s ** 0*** 2. onst u t 2 ^ hos n- iph t xt qu i s s ollows. 
o h*pik*o* n **1* n omly n It* *=**1*. Now w 
o t in th yptions * * o thos 2 ^ iph t xts. s ho ••• su h th t 
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* * = * * (usin h sh t 1 so s to voi in sin th ompl xity o 

th tt k). Not th t two pi int xts will t inly m t h in th fi st lo k (i. . 

* 0 * = * 0 * ) i 

• ..i* =..2(*o* •• 2) * . 2(* 0 * ** 2) (2) 

hoi s us th n th sultin ollision tw n th s on n thi 

1 y s will n ss ily p op t up to th pi int xt. o ov i qu tion 2 

hoi s th n in t th two pi int xts will m t h in th i nti ty. 

( his is us th V lu t th ottom o th thi 1 y t th s on 

lo k is * * • 2 (* 0 " 2); now th hoi o nsu s th t * * 

••2(*o* **2) = **1* (••2(*o* **2) **1* •*1*) = **1* 

* • 2 (* 0 * •• 2) = • 2 * * • 2 (* 0 * ** 2) so w will t ollision t th 

ottom o th thi 1 y n this will n ss ily p op t up to th pi int xt.) 

in w n t 2 ^ iph t xts n th lo k siz is 6 its y th i th y 

p ox with hi h p o ility w will fin on pi *** s tis yin qu tion 2 
n so with hi h p o ility w will s • o som •• • . On th oth 

h n us * is two lo ks (12 its) Ion th hnsosin hn 

mth** — • • y i ntisvy low. h o w xp t to s on 
mth**=** nw nonlu thtosuh*** qu tion 2 must hoi . 

On w ’v oun pi *** wh qu tion 2 hoi s w n us it to isol t 

th t o * 2. his 1 ts us ov *2 usin 2 ® xh ustiv k ys h. in Ily 

knowin * 2 1 ts us u th p o 1 m to th t o kin “ mo 

whi h n on y st n t hniqu s without ny in s in ompl xity. 
his 1 ts us k th t ipl mo “ “ with 6 2 ® t i 1 n- 

yptions n 2 ^ hos n- iph t xt hos n- qu i s. ( n t th tt k n 

xt n to wo k just s i ntly with known- hos n- iph t xt qu is 

inst o hos n- qu i s; it just om s it m ssi to si.) 

o summ iz w n pply th s t hniqu s 

to k th “ “ qu lo k mo with 2 ^ hos n- 

iph txtqu is n 7 2®til n yptions. 

Not th t w oul m ti Ily u th num o hos n- iph t xt 
qu i s n i th w tt w y to k th t ipl mo “ 



o th O mo w us noth n ow-pip tt k om in 

with i th y um nt to fin ollision in th O st ms n t y 
two i nt m ss s. n t 2 ^ hos n- iph t xt qu i s s ollows. ix 

6 - it oust nt*fix**l***2 nlt**=( )o 11*. h onlyv lu 

th t V is will * * 0 * whi h w pi k n omly. O t in th yptions * * o 
thos hos n iph t xts. Noww s ho ***suhtht*.o(**0*) = **0*; 

this 1 tion nsu s th t th two O st ms o will m t h up 

( X pt th t th y will out o ph s y on lo k). O ou s iv n su h n 

••• w n ov * 0 with 2 ® xh ustiv k ys h. 
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• • n ( 

p s nt 
qu 1.) 

y th 
V y 



ow n w o niz su h o tun t v nt Not th t p lin o th s on 

mo u in yption o**l vs( ) whil o * * w t 

•••• ). u th mo p lin o th fi st mo w t( )o 

) o * *.( wo on not tion th qu stion m ks “ just 

it y unknown v lu s; two nt i s oth m k with “ n not 
n oth wo s w n o niz ••• suhth t*. o(" 0*) = ** 0* 

' • — • 2 • n • •; Is 

hos n iph t xts th i th y p 



qui m nt th t 
n with 2 ^ 



1 ms shoul 
ox ssu s us 



th t w xp t to fin t 1 st on su h ••*. 

On w ’v oun ••• suhth t *. o(" 0*) — 0* 

with 2 ® xh ustiv s h. his u sth polmo 
to th t o kin ( mo v y simil to) 
n ok n i ntly with st n t hniqu s n in 



n ov * 
kin O 
h 1 tt mo 
t w n ov 



0 



1** 2 with on hos n iph txt n 32®tiln yptions. n tot 1 w n 
k O with 2 ^ hos n iph t xts n 2 ® t i 1 n yptions. 



O n ok n simil ly. i st w ov * 0 usin th 

s m t hniqu s s i ov o O . h n 11 w n to 

o is k ( mo V y simil to) n th t n on 

with two hos n iph txtqu is n 5 2®til n yptions. n tot 1 ou 
ypt n lysis o O n s 2 ^ hos n iph t xts n 6 2 ® 

t i 1 n yptions. 



not w o ny st on tt ks on th O “ mo 

h V n ow-pip tt k th t ov s th k y with 2 ^ o in til 

yptions 2 ^ hos n iph t xts n no m mo y; ut us this suit is 

so w k w will in om s i in it h 

Iso h V n tt k th t qui s 2®® known- hos n- iph t xt qu is 
2 ® o in til yptions n 2®® m mo y. his too is hi hly un listi 
ut w will sk t h th tt k h o ompl t n ss. p o mu h s in 
tion 5.2 with th ition 1 ompli tion th t w must Iso o n int n 1 

k h nn 1 to m t h. hoos 2® iph t xts * * =( ) o 11 

*. s k ••• su h th t * . o(" 0 * ) = * * 0 * whi h will nsu th t th 
two O st ms m t h up (out o ph s y on lo k); w Iso qui th t 
'• 2 (*o* ••o("0*) •*2*)=**2* whi h yi 1 s ollision (out o 

ph s y on lo k) in th ~ 1 y ’s int n 1 k h nn 1. h s two 



on itions nsu th t w 


n 


0 niz 


su h 


P i 


*** yth on 


ition • 2 — * = 


*...*. u th mo th 


i 


th y p 


OX p 


i ts th t w will 


n ount on 


su h ••• ; on w V o 


niz 


it w 


n us 


th 


known s to 


ov * 0 with 


2 ® xh ustiv k ys 


h. 


h n th 


st 0 


th 


k y m t i 1 


n 0 t in 


with m t-in-th -mi 1 


s 


h. 
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n sho t w un 1 to m k mu h p o ss on th n lysis o O 
“ n so w 1 V it s n op n qu stion o oth s to x min . 



p s nt n tt k th t ks th O ~ mo with on 

hos n iph t xt qu y n 2 ^ wo k. his is n un listi tt k ut it shows 
th t this qu upl mo o s not tt in th st n th on mi ht i lly hop 
o in qu mo wh n hos n- qu i s th t. 



i st w 


p 0 


** 2 


to 


isol 


t th 


t 0 


* 0** 1. L t * 0 ** 


0 




known pi int 


xt/ 


iph t 


xt 


P i 


with known 


s 


* * * 0 . onst u t 


hos n 


iph t xt 


qu 


y ' 


• • • • 


• 1 


y 


t kin * 1 


— • 


0 1 ttin * * * 1 = * 


* * 0 


0 


• = 0*1*3 


n 


pi 


kin 


it 


y 


**2 1 i 


nt 


om **20. h n w 


h V 


th 


1 tion 






















**2 0 ** 


2 


1 = 


*• (• 


oO 


• • 


1 * . o(** 


0)) 


*. (*ol "1 *• 


o(** 


0))* 



whi h Hows us to isol t th to* 0** 1. Now w ov • 0** 1 with 
2 ^ xh ustiv k ys h. 

in lly on w V 1 n • 0** 1 w n ov • 2** 3 with s on 

xh ustiv k ys h. ( n t w oul us th m t-in-th -mi 1 tt k on 

ou 1 - to ov • 2** 3 ut this will not u th tot 1 ompl xity o 
th ull tt k si nifi ntly.) 

h tot 1 ompl xity o th tt k is 3 2 ^ o in t i 1 n yptions n on 
hos n- iph t xt qu y. his shows th t th qu upl mo O 

“ is no st on th n t ipl - - (with out h inin ) inst hos n- 

hos n-t xt k y- ov y tt ks n so th ou th 1 y s ms w st . 
t is int stin to not th t th p s nt tt k os not pply to th t ipl 

mo O “ V n thou h this mi ht s m lik p ox t fi st 

1 n . his 1 V s op n th ount -intuitiv possi ility th t th O 

“ t ipl mo mi ht w 11 st on th n th O “ 

qu upl mo . 



11 o ou tt ks h V li on th ility to ont ol th o y ou 

tt k mo 1. his is s th issu o wh th it is possi 1 to p v nt th s 
tt ks with simpl ount m su s. h nsw s ms to mix y s th 
som simpl ount m su s ut th y h v limit tions. su v y som 

possi 1 pp o h s h 

• •• • ••••••• ••••••• 

On su stion is to n ypt th sot nsmission 

(with s y t ipl - o qu upl - ) th th n s n in th s in th 

1 . his thw ts th tt k s ility to hoos th x t v lu s o th s. 
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On th oth h n this pp o h h s w kn ss wh n on n ypts h 

in p n ntly th tt k n still us ol v lu s in n w hos n i- 
ph t xts. om o ou tt ks (suit ly mo ifi ) n onv t to wo k 

inst this p oto ol wh n (1) th y only ly on th ility to o * ( o 
som hoi s o *) to th s m o 11 hos n iph t xts n (2) th tu 1 

V lu o • is i 1 V nt. s n illust tion w show th t O — > — )■ 

is no s with this p oto ol th n o t k 

••20 = ^^22 = = ^^23 =•• 

••10 = ••!! ^••IS = • 

0 som unknown no 0 to onst nt; th n w h v th 

1 ntity 

*-2(*o0 •oO) •• 2 (*ol *o1)=*-2(*o2 ^02) •• 2 (*o 3 • 0 3 )• 

whi h 1 ts us ov • 2 with 2 ® wo k n ou hos n- iph t xt qu i s n 

• 1 will 11 soon th t . o n yptin th s is no u nt os ty. 

noth n tu 1 tion is to simply insist th t s n s 

pply to th s whi h iv s must v i y o yptin . y 

p ot tin th int ity o th s this stops hos n- tt ks. 

his pp o h still 1 V s th us s op n to known- tt ks wh n th y 
xist. om mo s sus pti 1 to known- tt ks; oth s m y not 

low o w illust tions o this n . n n 1 th known- tt ks 
th t w know o usu lly qui mo t xts th n th i hos n- ount p ts 

so in th s m y u th th t 1 v 1. 

noth um nt inst this pp o h is s on n in in onsi - 
tions. Now w h V n w p oto ol whi h is mo ompli t n whi h 

int o u s n whol n w p imitiv to th mix. n up pi in on ilu 
mo with two i ith th n yption 1 o ithm o th is omp omis 

th n th m ss k ys must ov . t is p h ps imp u nt to ly on th 

s u ity o th to p ot t onfi nti lity just s ons v tiv ypto phi 

si n 11s o in p n nt s ssion k ys o uth nti tion n onfi nti lity 

1 o ithms (to limit th imp t o th omp omis o ny on 1 o ithm) w 

woul o w 11 to voi linkin th s u ity o ou with th s u ity o ou 

n yption 1 o ithm. 

oul p h ps fi st n ypt n th n uth nti t th s to stop oth 
known- tt ks n tt ks whi h tt mpt to pi y ol s. ow v in 

this mu h ompl xity to th syst m m y in to t st th limits o on ’s om o t 

zon ; t th 1 st mo n lysis s ms n 

opp smith t 1. 97 h V ppli nov 1 

ount m su to stop hos n- tt k w is ov on th i o i in 1 
p opos 1. h y limit th possi 1 v lu s o h to sm 11 su s t on is 
fix t 0 n th oth 6 - it h s o its its fix t 0. his un n y 

limits th ility o n tt k to ont ol th n ount s th tt k w 



oun . 
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his is V y 1 V t i k ut it only s ms us ul in t in s s. in 

un n y to s will not stop most o th tt ks list in this p p . ixin 

t in s t 0 woul t m ny o th tt ks ut it s ms th t su h 

m su oul V s ly t s u ity in oth w ys o num o th mo s 
p opos y ih m. t s ms possi 1 th t this ount m su my int o u 
s m ny p o 1 ms s it solv s nsow wyo pnin upon it o 
s u ity. 

his is y no m ns n xh ustiv list o v il 1 mis. 

Non th 1 ss w n m k som omm nts th t s m o ly ppli 1 . 

ny o th o vious ount m su s h v not y t n su j t to on- 

t n lysis n w h v tt mpt to show th t th som pit 11s to 

w t h out o . 

till it s ms lik ly th 1 1 hniqu s n v lop to p ot t th s quit 
tho ou hly o som (i not 11) o ih m’s mo s. O ou s on h s to us 

th m n us th m with xt m ; it is t ils lik this th t pi u 1 

impl m nt tions. h nt 1 qu stion is this will su h ount m su s p ov 

ost- tiv o will th s V n mo s su o t un th w i ht o th 
xt p utions th y qui o s h is n 



toppin hos n- tt ks is not nou h i th si i s hin thos tt ks 
n 1 V into sh p tt k. o illust t th point w not th t 

num o ou hos n- tt ks n onv t to known- tt ks. su lly 

this in s s th num o t xts n to mount th tt k. h s known- 

tt ks inv i ly mo i ult to si n p h ps mo i ult 
to is ov th n th i hos n- ount p ts. 

o X mpl 11 o tion ’s ivi - n - onqu tt ks on t ipl mo s 

n mo ih to wo k with 2® known- hos n pi int xts. s i th y 
tt k to fin two t xts with m t hin v lu s o ** 0*** 1; th n th t p i 1 ts 
you p o * * 2 n thus ov * 2 n • 1 is ov simil ly. 

h num o known- qu i s n u y usin m t-in-th -mi 1 

t hniqu s. o inst n on n k O with 2 ^ known- 

hos n pi int xts. s i th y tt k to fin two t xts with • • 0 * = 

• • 0 * . 1 n th t 

• . (•• 1 • ) • . (•• 1 • ) = • . 2 (** 2 * ) • . 2 (** 2 • )• 

whi h 1 ts us ov • 1** 2 with ompl xity 2 ® y st n m t-in-th - 

mi 1 tt k. ( h st i ht o w impl m nt tion o th t tt k Iso qui s 
2 ® sp thou h th sp qui m nts n m ti lly u y usin 

p 11 1 ollision s h 1 o ithms O 96 .) 

pplyin th s t hniqu s w n onv t ou hos n- tt ks to tt ks 
whi h n 2 ^ known- hos n t xts n • (2 ®) wo k o 11 th t ipl mo s 
in tion s w 11 s o O .0 Iso 11s 

with 2 ^ known- hos n t xts u to pi o lin lu k * 0 nnot t 
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ov s * 0 with 2® 


known- 
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® t i 1 n 


yptions 
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th n k th whol qu mo with noth 6 2 ® t i 1 n yptions n 
2 ^ known- hos n t xts. ( h s stim t s on h n th t ils o th 
n lysis un h k .) 

n i nt lly th s suits woul isp ov ih m’s onj tu s o s v 1 o 

his mo s ** w m k th m jo on ssion o ptin th v li ity o known- 

tt ks. ( ition 1 mil on ssions qui in som s s.) o inst n 
it woul show th t “ ” “ ” n 

0 not mo s u th n 11 t ipl mo s i w Iso 
ssum th t th is som t ipl mo whi h sists 11 tt ks o ompl xiti s 

1 ss th n 2® ; th 1 tt ssumption is quit son 1 s t ipl - - with 

out h inin is n x 11 nt n i t o on su h mo . O 

11 with ompl xity 2 ® whi h woul isp ov (i w pt known- tt ks) 
ih m’s onj tu th t it h s s u ity to o 1 1 st 2 ^ . h t ipl mo s 

( X pt O “ ) 11 to tt ks with 2 ® ompl xity (i w pt 

known- tt ks) whi h is 1 ss th n th onj tu 2 ^ s u ity to . 

h s suits o not tu lly ut ih m’s onj tu s u ity to s. 

ow V th xist n o known- tt ks o low -th n- xp t ompl xity 

in s us st p los to un st n in th t u s u ity 1 v 1 o th s mo s. 
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suits illust t 


th i ulty 0 


uil in s 


u mo s th t 


ont in 



inn h inin . h no int n 1 k m h nisms is th t th ypt - 

n lyst my 1 to p o th int n Is o th multipl mo o op tion y 

usin hos n-t xt qu i s; in m ny s s this Hows th ypt n lyst to isol t 

th t o p t o th k yin m t i 1. 

his wo k s i s n w ilu mo o su h syst ms wh n th v s y 

n in ont ol o v lu s. his p s nts ition 1 vi n o th ility 

0 onst u tions s on int n 1 k. 

li V th t it woul p u nt o ons v tiv ypto phi n in s 

to voi multipl mo s with inn h inin until th y tt -un stoo y 

s h s. o now t ipl - - s ms to p ovi mo o ust o t 

1 st tt -un stoo s u ity. 
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h s iptiv t in “n ow pip is u to ohn K Is y. h utho is ply 

t ul to li ih m o his omm nts whi h h v tly imp ov th qu lity 

o this wo k. 
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r ort 996. 

. o rs it . . o nson n . . t s “ ri 
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P. . n Oors ot n . . i n r “ ro in i 
t i tt s or rs o nitu ” 
rin r r 996. 
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4tlokphp nt tth t oftw 

n ypt on ok hop n nu y 199 . t nt o u th on pt of 
k y p nt t on to p ov th t n g n t ff nt 1 n 
1 n ypt n ly . n th p p w w 11 how how v th t w n u 
low ng w ght ffn topfo ptlkypn 

nt ff nt 1 tt k on . h n on In on th t th k y 
p nt t on not ff t v t w onj tu to 



7 whi h t 
lo k iph with 
h t n 

hi tv 
th op n n 



n o i 64 it itl 

t u tu i il to th 

Igo ith t k 64 it k y n u 16 u k y in 16 oun . 

i nt hin whi h u oun with 64 it k y n 

V i nt whi h u 16 oun n 64 it k y . 



s u u h oun un tion p 32 it 

input to 32 it output u ing 60 it u k y. i t th 32 it input i xp n 
to 40 it V lu . 20 it u k y p o k y p ut tion n 40 it 

u k y i xo to th ulting v lu . in lly it u ou 10 to it ox 
n p ut tion to o t in th 32 it ult o th oun un tion. 



n thi p p it nu o ight to 1 t t ting t it 

z o. o th ight o t it o n it v lu F i Vq whil th 1 t o t it i 
14 _ . h ou ox u in th oun un tion 11 0 1 2 n 

3. 

pon o y th p oj t of th 1 O fo nt fi hn 1 n 

ultu 1 ff (O ) Ig u . 

h utho wo k w on u ng h t y n L uv n po t o to 1 f How of 
th h oun 1 of th . . L uv n. 

• O. h t nt pon o y th un fo nt fi h 1 n 

Ig u . 

y tt yt 322023 

o 




ff nt 1 ypt n ly of th n ypt on Igo th 2 1 

T s u h 32 it input to th un tion i xp n to 

on 10 it V In 0 1 2 3. 

T u 20itukypo kyput tion on 

th xp n 40 it t xt w pping it tw n 0 n 2 n tw n 1 
n 3. p ut tion k y it 10 + ( 10) i t it o On 2 will 

w pp . p ut tion k y it ( 10) i t it o In 3 will 

w pp . 

T h 40 it ult o th k y p ut tion i xo 

with 40 it u k y. 

T S s u on 10 to it ox to p th 40 it v lu to 
32 it V lu . h ox i il in t u tu to tho u in L K 

4 3 in th i u o loi i 1 xpon nti tion. o th 10 it input X w 

on t n t X n Xq to o th ow 1 to . it X X o th olu n 

1 to (7. o h ow th i X o t v lu . n loi i 1 p i 
(i u i 1 polyno i 1) . . h it output on ox o n input X i giv n 
y (C* © . ) o . un loi i 1 ith ti . 

T u u in lly th ou it ox output o in 

vi ox into th 32 it output o th un tion. 

T s u h k y h uling Igo ith p 64 it k y to 16 

60 it u k y . h u k y it i p n nt on only on k y it. h hin 

k y h ul i i ply th fi t ight oun o th t n k y h ul . 

h k y h ul uil on th k y h ul n p 64 it k y 

to 16 60 it u k y . 



i nti 1 ypt n ly i w int ou yih nhi2n n 
u to p o ho n pi int xt tt k . h i i i th t two ho n 
pi int xt with t in i n ® 2 n n iph to two iph t xt 

u h th t C C (B C 2 h p ifi V lu with non n gligi 1 p o ility n 
u h h t i ti ( C ) i u ul in iving t in it o th k y. h 
h t o i nti 1 tt k i th fin ing n th u o h t i ti with high 
p o iliti . 

h n ly i o in 7 on i only y t i i n whi h h v 
qu 1 1 t n ight 16 it h Iv o th 32 it input to th un tion. hi i 
1 i to th t t t gy in th y th only i n not t 
y th k y p ut tion. on qu n th tt k h to t g t t 1 t 
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f 

xpl in in th p viou tion w will o u on low ing w ight 

1 n th t only on ox in th oun un tion. t i not po i 1 

to nil 2 oun it tiv h t i ti lik th on u o th n ly i o 

2 with i n th t only on ox (u ing only th i 1 6 it 

out o th 10 input it to th t ox o th t it i not t y th xp n ion 
in th oun un tion). n how v uil 3 oun it tiv h t i ti 

o th o p ifi in igu 1. 




3 oun it tiv h t i ti . 



u w t i t th i n n to on ox th y n h v 

ing w ight o no o th n 4 h in th it output on ox 
liv t th p ut tion n th k y p n nt p ut tion in th n xt 
oun up to 4 it to n ox in th n xt ppli tion o th oun un tion. 







ff nt 1 ypt n ly of th n ypt on Igo th 2 3 

h h t i ti will V li i n not t y th k y 

p ut tion in th o pon ing oun . hi h pp n i th p ut tion k y 
it u in th it po ition th t t in n qu 1 to z o ( o th 

i n will not p ut o th 1 t 20 it h 1 o th xp n t xt to 
th ight o vi V ). 



h 1 o h t i ti th t V li only i t in p ut tion k y 

it qu 1 to on ( o pon ing to th it t in o o oth). ng n 1 
w 11 th h t i ti ( . th tt k on Lu i 1 ) whi h h v 



t in p o ility with ptto u tothkyp . hiugi 
vi 1 wh n th y i p ov th p o ility ov th t p o ility o non 

on ition 1 h t i ti y to high th n th inv o th 

(th tio tw n th iz o th u t n th iz o th k y p ) p i lly 

i vluhh titi n i ntly h th t u tu o ho n 

pi int xt . 

w on i only i n with ing w ight on th i tot 1 o 

10 on ition 1 h t i ti with 

2-3 22 - 

lllito oth i n o ing w ight 1 whi h n u 

to on t u t 3 oun h t i ti with p o ility 2 2- tog th 

with th o pon ing p o iliti . y int h nging th v lu o n w 

g t twi th nu o h t i ti ( x pt o th ou th nt y in th t 1 

whi h h ). 




i nti 1 h t i ti with ing w ight In 2 2-. 

n n not y th it po ition in th 32 it v lu th t i t 

1 o li t th qui v lu o th p ut tion k y it o pon ing 
in th on n thi oun o th h t i ti . 
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w 6 u s 

u th t 3 oun h t i ti with 2 n 1 ollow y 
t ivi 1 oun with p o ility 1. h p o ility o thi 4 oun h t i ti 

i 2 2“ 2“ 2“ t i V li i th it t in th i n n 

not p ut in th p tiv oun ( oun 2n3). hi n tnlt 
to th ollowing on ition 

it 14 0 o th p ut tion u k y in oun 2. 

it 2 0 o th p ut tion u k y in oun 3. 

X in tion o th k y h uling Igo ith how th o pon ing on ition 

0 th 64 it u k y 

it 20 In it 12 0. 

igu 2 how th 6 oun Igo ith n th 4 oun h t i ti . h 

xp t input i n to th oun un tion in oun i th xp t 

output i n qu 1 th i n in th ight h 1 o th iph t xt. hi 

How u to h k i n it y n ypt p i (with th ight i n in th 
pi int xt) i ight p i o th h t i ti . h i n 1 liv n 

input i nto oxlo3 pn ing on th v lu o th o pon ing 

p ut tion k y it. o th output i n o ox 0n2hvto 
z o w 11 th output i n o ith 1 o 3. 

hi o pon to h king th v lu o 24 — 1 23 it . o w ong 

p i h p o ility o u viving thi hit ing p o . h p o ility 
o g n ting ight p i i u h high (2“ o wh n p i u viv th 

hit ing with high p o ility it i ight p i . 

o u h ight p i w know th input n th i n t th output 

( C*. © ) o th 1 t oun n o llpoil ukyw nhk wh th 

th y o pon . p t thi o out ou ight pi (w n to g n t 
out 4 2^ 2 pi o pi int xt ) th o t u k y will ugg t h 

ti n n i tingui h o oth ugg t u k y . 

h ign 1 to noi tio (th tio o th nu o ti th o t k y i 

ugg t n th nu o ti n it y k y i ugg t ) o thi tt k 
n 1 ul t with th tho i in 2 . t p n on th nu 

o pi int xt p i th p o ility o th h t i ti th nu o 

1 ult n ou k y it th t w ount on th v g ount p n ly pi 

n th tion o th n ly pi ong 11 th pi . 



2 - 

n thi w h V 2 n 2“ h n on nt ting on on 

ox w ounting on 20 k y it (10 u o th p ut tion n 10 

o th xo op tion). h v g ount qu 1 2 ^ in w ount on 2^° 
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uky n hkn itvlu(i n tth output o th ox), h 

tion (flit ing) qu 1 2“^^. n th ign 1 to noi tio i 

2 2 “ 3 ^ 

2 2 2 2-23 220 2- ^ 

n i il ly o th oth th ox . ow v On 2 wll In 

3 u th p ut tion k y it whi h w h v to t in only on . 

o th on ox whi h u th p ut tion k y it w n ount on 

ju t th 10 xo k y it . n thi w y w t in 11 60 it o th uky. h 

ining 4 it o th u k y n ily oun y xh u tiv h. 

w u s T 

n xt n th p viou tt k in t ight o w nn u ing 6 oun 

h t i ti with p o ility 22 2“ 2“ 2 ~ 2 ~ 2 ~^ . 

h tt k n i p ov how v y in ting oun o th fi t oun 

0 th h t i ti without u ing th p o ility lik in th tt k on 

2 . h u volution o i n ( u ing th n yption o ight p i ) 

1 hown in igu 3. n th fi t oun th i n t th input o th oun 

un tion i n input i nto ox0o2 pn ing on th v lu o th 
o pon ing p ut tion k y it. gu thi it n p t th tt k i w 

h V gu w ong. o p n t th i n t th output o th oun 

un tion o oun 1 y u ing t u tu o 2 pi int xt 



e ( . 0) . © ( . 0) © (0 ) o 0 2 
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0 whi h 2 


ti 


y th fi 


t oun . 
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n i ol t in 2 


ti ollow . in th xp t 




output i 


n 



o ox 1 n 3 in oun 7 zow otthtxt o ing to th 
V lu o th o pon ing it in th ight h 1 o th iph t xt n fin th 
t hing V lu . filt th u th y ox 0 o 2 (lik in th 6 oun 
tt k) n n xp t 2 2 ~ 2 ~ ight pi in t u tu . y u ing 2 ^ 

t u tu 4 ight pi xp t . n tot 1 how v th 2 2^2^ 

pi. t hit ing o 23 it w xp t th will in 2 64 w ong 
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pi. o thi ixtu o ight n w ong pi wty llpoil uky 

on nt ting on on ox t ti 

n th 1 ul tion o th ign 1 to noi tio o thi tt k th i n xt 
to 2 “ i po y th fi t oun t u tu ( 2^2 ut only 2^2 

pi ti y th fi t oun ) 

2 3 2 2 " 2 ^ ^ 

2 3 2 2 2 2-23 220 ^ 

n ily xt n thi tt k to k it v li o twi ny k y . 

u t gu th V In o it 2 o th p ut tion u k y in oun 6 . it qu 1 1 

in t o 0 th oun un tion in th t oun liv n output xo i nt 
o 2 . ith p o ility 2“ thi output xo will 7 30 n w n 

p o th tt k in i il w y. h on ition o th 64 it u k y i 

it 3 On it 9 1. 

It n tiv ly w non ight oun tt k u ing th h t i ti with 

31 n 26. o ing to 1 1 th p o ility o thi h t i ti 

i 2 2 2 “ 2 “ 2 ~ 2“^3. h on ition o th p ut tion k y 

it t nit to th ollowing on ition o th u k y 

it 4 1 it 1 In it 4 1. 

o th p ut tion k y it in oun 6 o n’t i po n xt on ition on th 

u k y n w on’t h v to gu thi it wh n u ing th h t i ti with 

31 n 26. 

s s s s 

h tt k o th 6 oun v ion n th oun v ion ( hin ) h v 

n i pi nt n on th V g wo k p it. ow v u ing low 

ing w ight in u o o pli tion . h input i n 
to th 1 t oun i u y th output i n o th p viou oun . 

h t output i n i u y ju t on ox n h ing w ight 

o no o th n with n v g o 4. 

h ox in th 1 t oun iv 2 it o th it . u th 

k y p ut tion w p it tw n th p tn ’ ox 0 — 2 n 1 — 

3 n ox will fin Ily iv tw n 0 n 4 o th it t it input 

p n ing on th v lu o th p ut tion uky. nly th it n u n 

input i n . ox 0 o 1 g t it th n p tiv ly 2 o 3 will 

g t 4 — it . p ti ul ox g t it with po i 1 i n th 
p o ility to g t input i n z o i pp oxi t ly 2 “' . n 1 2 w li t 
th po i 1 V lu o th t p o ility n th tion o uky o whi h it 
hoi . 

th input i n to n ox i z o 11 o th gu o th p ut 
tion ukytht u zoi n will ount will 11 po i iliti 




ff nt 1 ypt n ly of th n ypt on Igo th 2 9 



p o 1 ty 


f t on of u k y 


1 


1 2 


2“ 


4 2 


2“^ 


2 


2“^ 


4 2 


2“ 


1 2 



T o iliti to g t z o input i n to n ox. 



o th xo u k y. h o th tt k i 1 i nt n w h v to look o 

0 o ight pi o th h t i ti (in p ti twn4n )hn 
u o pi int xt . 

o tion 2“ o th k y th input i n to th ox will Iw y 

z o o w n t in only o o th p ut tion k y it n non o 

th xo k y it . ut th n th p tn ox h p o ility o z o input 

1 n o only 2“ . t in th p ut tion k y it vi thi ox 

n th 10 xo k y it th t w nnot t in n look o xh u tiv ly 

t th i nti 1 tt k (tog th with th 4 it o th u k y th t not 

u in th 60 it u k y o th 1 t oun ). 

t i po i 1 to xploit th o ion o z o input i n to i p ov ou 

tt k. th input i n to n ox in th 1 t oun i z o th output 

i n i z o w 11. n th t w know th o pon ing i n t 
th input to th oun un tion in th on to 1 t oun n w n h k i 
it V lu o pon to th v lu th t i qui o th h t i ti . n thi 
w y w n o o xt hit ing whi hi i po t nt o th oun tt k 
wh w xp t to g t 64 w ong p i . t will in th ign 1 to noi tio 

n u th nu o qui pi int xt . 



h 3 oun it tiv h t i ti n xt n in t ight o w w y 
to tt k th Igo ith with n it y nu o oun . ut i th 

nu o oun x 9 th ign 1 to noi tio will op low on king 
th tt k i po i 1 (th It k o p viou tion Ilow only light 

i p ov nt y xt hit ing). h how v v 1 w y to i p ov th 

ign 1 to noi tio. 

u s h n p i u viv th hit ing ( n i u 

to ight p i ollowing th h t i ti ) w know th input n th 

i n t th output o th 1 t oun n h k wh th th y o pon . 

n th i tt k w on nt t on on ox n ount on 20 u k y it 

(10 u o th p ut tion n 10 o xo ing). 

n t w n on i two p tn ox ( 0 n 2 o In 3) t 

th ti . h y h 10 p ut tion k y it n oth u 10 xo k y 
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it . hi How u to ount on 30 k y it n ult in n i p ov nt o th 

ign 1 to noi tio y to o 2 u w h k th v In o o it 
t th output o th on ox (in th 1 ul tion o w h v 2' 2^° 

n 2^° 2 2).nthoyuth ipov nt(y too2 o 

2^ ) po i 1 y on i ing p tiv ly th o ou ox ( 0 o 60 k y 
it ). 

s su hnpii u to ollow th 

h titiw nlohkukyitinthfit oun o th Igo ith . 

n thi fi t oun w u p i 1 t u tu ( . th tt k on oun ) n 

gu th V lu o th p ut tion k y it o pon ing with th i no 
ing w ight on . n w n ount on th 10 xo k y it o th ox 
wh th i no ing w ight 1 i lo t 

o ov u to th k y h ul o o th u k y it in th fi t oun 
p nt th u k y it o o th u k y it in th 1 t oun o 

th Igo ith . hi How u to i p ov th ign 1 to noi tio y to o 
2 y ounting on ju t w o k y it . Not 1 o th t o o th k y it 

th t w ount on 1 y known u o th on ition on th u k y 

0 th h t i ti . 

s u h o t i po t nt i p ov nt n y 

pting th h t i ti . n th p viou tt k w u th h t i ti 

with th high t p o iliti . h ulting tt k 11 2 tt k ( . 

ih n h i 2 ) u th y on’t k u ption o th 1 t two 
oun o th Igo ith . 

nt w npo 1 ttku ing h t i ti up to th 1 t to 
on oun . n X pi o th 1 t oun o u h h t i ti i hown in 

igu 4. 

Ithough th p o ility o u h h t i ti i g n Hy low th n o 

2 tt k it i u ul u it How u h o Hit ing n n ov 11 
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1 n t th output o th oun un tion ( C. in igu 4) i po i 1 

lik w i in th 1 t to on oun in th p viou tt k . hi o pon to 

h king th V lu o 23 it . ut w n 1 o h k th i n in th ight 
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hi ult in n i p ov nt o th ign 1 to noi tio y to o 2^^ 
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0 th 2 tt k ( . 1). n th oth w h v . 2“ o 
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Not th t th k y tion i low o 1 tt k u th h t i ti 

1 po o on ition on th u k y ( x pt wh n th nu o oun i 

ultipl o 3). 

h t 1 how th t th i nti 1 n ly i wo k o up to 1 oun o 
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2 po i iliti ou tt k qui t o t 2 pi int xt . 

s 

1 th p viou tt k u ing th t on ition 1 h t i ti . 
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V r 

#define unsigned long 

#define shift(x i) ( )C(Cx)«(i)) C(x)>>(3 -(i)))) 

#define f(x y z) C(x) (y) ( (x) ) (z)) 

#define g(x y z) ( )C(x) (y) (x) (z) Cy) (z)) 

#include <stdio h> 

m in(int c ch r v ]) 

int i k sh tri Is eros nes record eight; 

1 diff test; 

0 13 ; 
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ns 



rt n 



0 1 3 4 5 9 10 11 1 13 14 15; 

elt _ elt _ 0 0_ sic _ sic; 

0 1 3 0 1 3; 

01 301 301 3; 

0 1 3 0 1 3; 

0 1 3 4 5 9 10; 

11 1 13 14 15 1 1 1 19; 

0 1 3 4 5 ; 

0 1 ; 

if( c!= ) 

fprintf (stdout " s ge: V.s seed n" v 0] ) ; 
exit(l) ; 



sr nd( toi ( v 1] ) ) ; 

1 = 0x5 999; 

= 0x5 90 134; 

= 0x5 90 134; 

e h ve here sped 1 c se of more gener 1 Igorithm n 

gener 1 nd re different ut h ve only sm 11 mming 

difference o to choose these const nts ill e expl ined in 
the complete p per out this tt ck 

eros=0; 

nes=0 ; 
tri ls=0; 

ere you c n specify the h sh v lue (01 3) 

0=0x0; 

1=0x0; 

=0x0; 

3=0x0; 



0 = 0 ; 

1 = 1 ; 

3= 3; 

ere st rts the first p rt: se rching 1 



record = 33; 

= r ndO ; 

3 = r ndO Oxffffff f; 

0 = ; 

15 = 0x0; 

1 = shiftC 13)- - 15; 

14= 0x3 0; 

= ShiftC 14 1 13); 

1 = ShiftC gC 3 ) 15 1 13) ; 

0 = 0 - 0 ; 

1 = 1 - 1 ; 

3= 3-3; 

0 = ShiftC 9)- - - 1; 

1 = ShiftC 9)- - - 1; 

= 1 ; 

3 = 1; 

4 = shiftC )- - “1; 




rst 
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t n 



2 



5=4; 

= 4; 

= shiftC 3 



1 = 


shift C 


19)- - 


- 1; 




13= 


shift C 


19)- - 


- 1; 




14= 


shift C 


19)- 


- - 1; 




- 


sic = r 


ndO ; 








0; = 


1; = ; 


= 3; 




= 


shift C 


f( 


) 0 


3) 


= 


shift C 


f( 


) 1 


) 


= 


shift C 


f( 


) 


11) 


= 


shift C 


f( 


) 3 


19) 


= 


shift C 


f( 


) 4 


3) 


= 


shift C 


f( 


) B 


) 
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shift C 


f( 


) 


11) 
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shift C 


f( 


) 


19) 


0= 


; 1= ; 


= ; 3= 







for(i=0; i< 50; i ) 

tri ls=tri Is 1; 

sh=i Oxlf; 
diff=shift(l sh) ; 

= _ sic diff; 

3 = ShiftC f ( 1) 14 11) ; 
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= shiftC 




B)-f ( 
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)- 13 
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= shiftC 




9)-f ( 


1 




3)- 1 




= shiftC 
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9)-f ( 
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3)- 0; 
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= shiftC 


3 


B)-f ( 
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)- 3; 


10 


= shiftC 




l)-f( 
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D- ; 


11 


= shiftC 
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13) -f( 
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0)- 1; 




= shiftC 


3 
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9); 
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= shiftC 
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9); 




0 


= shiftC 


1 


10 


1 9) 





elt _ = ShiftC 3)-gC 3 )- 1- 0; 

elt _ - elt _ 11; 

eight=0 ; 

forCk=0; k<3 ; k ) elt _ =shiftC elt _ 1); eight= eight C elt _ 1) ; 

ifC eight <record ) 
sic - ; 

ifC eight <record) 
record= eight; 
ifCrecord< ) 

if Crecord==l) nes= nes 1; 

fprintf Cstdout " rt : mining dist */,i " record); 

fprintf Cstdout " ri Is Xi " tri Is); 
fprintf Cstdout " nes Xi eros V.i n" nes eros); 
fprintf Cstdout "Z Zi n n" elt _ i) ; 



ifC eight==0) 

eros = eros 1; 
test - gC 0) 

ifCtest!=0) goto 
test = gC 1) 

ifCtest!=0) goto 
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rt n 



1 = 0 ; 

1 = 1 ; 

1 = ; 

19= 3; 

0= 4; 

1= 5; 

3= ; 

4= ; 

5= 9; 

= 10 ; 

= 11 ; 

= 1 ; 

0= 13; 

1= 14; 

= 15; 
tri ls=0; 

0 = 0 ; 

1 = 1 ; 

3= 3; 

0=0x 45 301 

l=0xefcd 9 
=0x9 dcfe 
3=0x103 54 
0 =- 0 0 ; 

1 =- 1 1 ; 

3=- 3 3; 

goto _ ; 

goto _ ; 



ere st rts the second p rt: se rching 0 
record=33; 



r ndC) ; 
sic=r ndC) ; 




shift C 
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shift C 
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shift C 
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shiftC 0 
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)- - 


- 1 


shift C 


)- - 


- 1 


shift C 
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shift C 


3)- - 


- 1 


shift C 


3)- - 


- 1 


shift C 


3)- - 


- 1 


=0; i< 50 


i ) 





tri ls=tri Is 1; 

sh=i Oxlf; 
diff=shift(l sh) ; 

0= 0_ sic diff; 

= shiftC 3 )-g( 00 )- - 1 

11= ShiftC 3)-g( 3 0 0)- - 1 

15= ShiftC 1 19)-gC 3 0)- 1- 0 



15 




rst un s r t n 2 1 



= 0; = 1; = 


; = 


3; 




= shift ( 


f( 
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3) 


= shift ( 


f( 
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= shift ( 


f( 


) 




11) 


= shift ( 


f( 
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19) 


= shift ( 


f( 
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3) 


= shift ( 


f( 
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) 


- shift ( 


f( 
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11) 


= shift ( 


f( 
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19) 


= shift ( 


f( 
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3) 


- shift ( 


f( 
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) 


= shift ( 


f( 
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10 


11) 


= shift ( 


f( 


) 


11 


19) 


0= ; 1= ; 


= ; 


3= ; 






1 - shift ( 


9) 


- 0-f( 1 




3) 


13 = shift ( 


B) 


- 3-f( 


1 


) 


14 = shift ( 


1) 


- -f( 




1) 


3 = shift ( 1 




IB 19); 







= shift ( 3 1 1 13) ; 

1 = shift C 13 1 13); 

elt _ 0 = shift( 1 14 1 13)- 0; 

eight=0 ; 

for(k=0; k<3 ; k ) elt _ 0=shift( elt _ 0 1); eight= eight ( elt _ 0 1) ; 

if( eight <record ) 

0_ sic - 0; 

if( eight <record) 
record= eight; 
if(record< ) 

if (record==l) nes= nes 1; 
fprintf (stdout " rt : aiming dist 1 "); 

fprintf (stdout " ri Is Xi " tri Is); 

fprintf (stdout " nes V.i n" nes); 
fprintf (stdout ""h V.i n n" elt _ 0 i); 



if( eight==0) 

fprintf (stdout " ncel the third round "); 

fprintf (stdout "of the 4 compression function n"); 

fprintf (stdout "then the folio ing mess ge = 0 h s "); 

fprintf (stdout "the h sh v lue n"); 

fprintf (stdout " = Ox*/, " 0); 

fprintf (stdout "Ox*/, " 1); 

fprintf (stdout "Ox*/, " ); 

fprintf (stdout "Ox*/, : n n" 3); 

fprintf (stdout " 0 = Ox*/, ; " 0); 

fprintf (stdout " 1 = Ox*/, ; n" 1); 

fprintf (stdout " = Ox*/, ; " ); 

fprintf (stdout " 3 = Ox*/, ; n" 3); 

fprintf (stdout " 4 = Ox*/, ; " 4); 

fprintf (stdout " 5 = Ox*/, ; n" 5); 

fprintf (stdout " = Ox*/, ; " ); 

fprintf (stdout " = Ox*/, ; n" ); 

fprintf (stdout " = Ox*/, ; " ); 

fprintf (stdout " 9 = Ox*/, ; n" 9); 

fprintf (stdout " 10= Ox*/, ; " 10); 

fprintf (stdout " 11= Ox*/, ; n" 11); 

fprintf (stdout " 1 = Ox*/, ; " 1 ); 

fprintf (stdout " 13= Ox*/, ; n" 13); 

fprintf (stdout " 14= Ox*/, ; " 14); 

fprintf (stdout " 15= Ox*/, ; n" 15); 

fprintf (stdout " 1 = Ox*/, ; " 1 ); 

fprintf (stdout " 1 = Ox*/, ; n" 1 ); 




2 2 ns rt n 



fprintf (stdout " 1 = OxV, ; " 1 ); 

fprintf (stdout " 19= OxV, ; n" 19); 

fprintf (stdout " 0= OxV, ; " 0); 

fprintf (stdout " 1= OxV, ; n" 1); 

fprintf (stdout " = Ox*/, ; " ); 

fprintf (stdout " 3= Ox*/, ; n" 3); 

fprintf (stdout " 4= Ox*/, ; " 4); 

fprintf (stdout " 5= Ox*/, ; n" 5); 

fprintf (stdout " = Ox*/, ; " ); 

fprintf (stdout " = Ox*/, ; n" ); 

fprintf (stdout " = Ox*/, ; n n" ); 

fprintf (stdout " he corresponding p dding string is 0 1 : n"); 

fprintf (stdout " 0 = Ox*/, ; " 0); 

fprintf (stdout " 1 = Ox*/, ; " 1); 

fprintf (stdout " = Ox*/, ; n n" ); 

exit (1) ; 



goto 
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— • — w — 
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in h i s s . ( .) (wh r h . is n h 

r i r n s mmin wihw sri v)nl rrpiins 
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